95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
Size

9.6MB
MD5

0fbda8da6711ba80824bd22a21ff396c
SHA1

617d0e570156e62cb3822f8da5e6b6c394dcd3ac
SHA256

95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e
SHA512

253cbd485c4478cd32d27d969b3653b51a05fd3239a09ead55d6b07f56796469becffb3bc7d2412aaab529cb1c47e5fc96a89ba9d688a7b9004c9ab21692b148
SSDEEP

196608:lphjlGclOtv7UwNCCx86srDo7rP4x8fueE7xv3B0v9aOUmnGhmz:Bj/wtTUup86sHg3fMvB0vghmGhU

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
3888	AdbeArCleaner.exe
2044	AdbeArCleaner_v2.exe
1948	AdobeAcroCleaner_DC2015.exe
5052	AdobeAcroCleaner_DC2021.exe
664	AdobeCreativeCloudCleanerTool.exe
1752	ACToolMain.exe
3740	ACToolMain.exe

Loads dropped DLL 8 IoCs

pid	Process
3740	ACToolMain.exe
3740	ACToolMain.exe
3740	ACToolMain.exe
3740	ACToolMain.exe
3740	ACToolMain.exe
3740	ACToolMain.exe
3740	ACToolMain.exe
3740	ACToolMain.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\acaptuser64.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\SysWOW64\AdobePdf.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\AdobePdf.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser64.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\system32\AdobePDFUI.dll	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser64.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\AdobePDFUI.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\AdobePDFUI.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\SysWOW64\AdobePdf.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\SysWOW64\AdobePDFUI.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\system32\AdobePdf.dll	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\system32\acaptuser64.dll	AdobeAcroCleaner_DC2021.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ro_RO\Acrobat Pro 3D\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\de_DE\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat [RegistryHiveName]\ReadMeJ.htm	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ro_RO\3DReviewer\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.CHT	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 10.0\ReadMeSKY.htm	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.KOR	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\hr_HR\Acrobat Pro\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fi_FI\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\nl_NL\Acrobat_10.0_Standard.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fi_FI\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\pl_PL\Acrobat Pro 3D\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\eu_ES\Acrobat Pro 3D\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ja_JP\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\pt_BR\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 9.0\Viktigt.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\zh_TW\3DReviewer\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ja_JP\Acrobat Pro\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.CHS	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\nb_NO\Acrobat Pro 3D\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.CZE	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\hu_HU\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\zh_CN\Acrobat Pro\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\bg_BG\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ru_ru\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\lt_LT\Acrobat Pro\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.JPN	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\uk_UA\Acrobat_Standard.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.DAN	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.UKR	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\sv_SE\3DReviewer\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\eu_ES\3DReviewer\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.FRA	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ko_KR\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.RUS	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\ko_KR\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\sl_si\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner_v2.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\adbcl.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\sk_SK\Acrobat_10.0_Standard.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Leggimi.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\lv_LV\Acrobat Pro 3D\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.PTB	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\lv_LV\3DReviewer\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\pl_PL\Acrobat_10.0_Standard.helpcfg	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\hu_HU\3DReviewer\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.BGR	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\ru_RU\Acrobat Pro\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\adbcl.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.MEA	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\nb_NO\Acrobat Pro\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\sv_SE\Acrobat_Standard.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fi_FI\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.JPN	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_us\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ko_kr\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\pl_PL\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat [RegistryHiveName]\ReadMeCZE.htm	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\uk_UA\3DReviewer\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\pl_PL\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ja_jp\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner_v2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdbeArCleaner.exe
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdobeAcroCleaner_DC2021.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	1948	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCreativeCloudCleanerTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACToolMain.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdbeArCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdbeArCleaner_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeAcroCleaner_DC2015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACToolMain.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Plugin\DefaultIcon	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\VersionIndependentProgID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\HELPDIR	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xdp	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\4	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\Programmable	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\NumMethods	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.fdf\AcroExch.FDFDoc	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\AcroExch.SecStore	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\OpenWithProgids	AdbeArCleaner_v2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\FLAGS	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Read	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}	AdobeAcroCleaner_DC2015.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\7	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AdobeAcrobat.OpenDocuments.2	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}	AdobeAcroCleaner_DC2015.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD069A0-50AA-11D1-B8F0-00A0C9259304}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\Insertable	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus\1	AdobeAcroCleaner_DC2021.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\CLSID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\ProgID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\shell\Read\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ToolboxBitmap32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Read\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker.1	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\AuxUserType\3	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F2383816-917A-46CC-AD2A-5013BED3800F}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\DefaultIcon	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\TypeLib	AdobeAcroCleaner_DC2015.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\0	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\AcrobatVersion	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml\CurVer	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\1	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\Printto\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus\1	AdobeAcroCleaner_DC2021.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Printto\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Open	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\OpenWithProgids	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	AdobeAcroCleaner_DC2021.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xdp+xml	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Print\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\ProxyStubClsid32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}	AdbeArCleaner.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat:Acro_R	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat:Acro_E	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_R	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_E	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_R	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_E	AdobeAcroCleaner_DC2021.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
3888	AdbeArCleaner.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
2044	AdbeArCleaner_v2.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe
1948	AdobeAcroCleaner_DC2015.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2072	msiexec.exe
Token: SeSecurityPrivilege	208	msiexec.exe
Token: SeCreateTokenPrivilege	2072	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2072	msiexec.exe
Token: SeLockMemoryPrivilege	2072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2072	msiexec.exe
Token: SeMachineAccountPrivilege	2072	msiexec.exe
Token: SeTcbPrivilege	2072	msiexec.exe
Token: SeSecurityPrivilege	2072	msiexec.exe
Token: SeTakeOwnershipPrivilege	2072	msiexec.exe
Token: SeLoadDriverPrivilege	2072	msiexec.exe
Token: SeSystemProfilePrivilege	2072	msiexec.exe
Token: SeSystemtimePrivilege	2072	msiexec.exe
Token: SeProfSingleProcessPrivilege	2072	msiexec.exe
Token: SeIncBasePriorityPrivilege	2072	msiexec.exe
Token: SeCreatePagefilePrivilege	2072	msiexec.exe
Token: SeCreatePermanentPrivilege	2072	msiexec.exe
Token: SeBackupPrivilege	2072	msiexec.exe
Token: SeRestorePrivilege	2072	msiexec.exe
Token: SeShutdownPrivilege	2072	msiexec.exe
Token: SeDebugPrivilege	2072	msiexec.exe
Token: SeAuditPrivilege	2072	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2072	msiexec.exe
Token: SeChangeNotifyPrivilege	2072	msiexec.exe
Token: SeRemoteShutdownPrivilege	2072	msiexec.exe
Token: SeUndockPrivilege	2072	msiexec.exe
Token: SeSyncAgentPrivilege	2072	msiexec.exe
Token: SeEnableDelegationPrivilege	2072	msiexec.exe
Token: SeManageVolumePrivilege	2072	msiexec.exe
Token: SeImpersonatePrivilege	2072	msiexec.exe
Token: SeCreateGlobalPrivilege	2072	msiexec.exe
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeCreateTokenPrivilege	3548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3548	msiexec.exe
Token: SeLockMemoryPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeMachineAccountPrivilege	3548	msiexec.exe
Token: SeTcbPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeLoadDriverPrivilege	3548	msiexec.exe
Token: SeSystemProfilePrivilege	3548	msiexec.exe
Token: SeSystemtimePrivilege	3548	msiexec.exe
Token: SeProfSingleProcessPrivilege	3548	msiexec.exe
Token: SeIncBasePriorityPrivilege	3548	msiexec.exe
Token: SeCreatePagefilePrivilege	3548	msiexec.exe
Token: SeCreatePermanentPrivilege	3548	msiexec.exe
Token: SeBackupPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeDebugPrivilege	3548	msiexec.exe
Token: SeAuditPrivilege	3548	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3548	msiexec.exe
Token: SeChangeNotifyPrivilege	3548	msiexec.exe
Token: SeRemoteShutdownPrivilege	3548	msiexec.exe
Token: SeUndockPrivilege	3548	msiexec.exe
Token: SeSyncAgentPrivilege	3548	msiexec.exe
Token: SeEnableDelegationPrivilege	3548	msiexec.exe
Token: SeManageVolumePrivilege	3548	msiexec.exe
Token: SeImpersonatePrivilege	3548	msiexec.exe
Token: SeCreateGlobalPrivilege	3548	msiexec.exe
Token: SeShutdownPrivilege	2036	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3888	AdbeArCleaner.exe
2044	AdbeArCleaner_v2.exe
1948	AdobeAcroCleaner_DC2015.exe
5052	AdobeAcroCleaner_DC2021.exe
664	AdobeCreativeCloudCleanerTool.exe
1752	ACToolMain.exe
3740	ACToolMain.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 2072	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	87
PID 4776 wrote to memory of 2072	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	87
PID 4776 wrote to memory of 2072	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	87
PID 4776 wrote to memory of 3548	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	90
PID 4776 wrote to memory of 3548	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	90
PID 4776 wrote to memory of 3548	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	90
PID 4776 wrote to memory of 2036	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	91
PID 4776 wrote to memory of 2036	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	91
PID 4776 wrote to memory of 2036	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	91
PID 4776 wrote to memory of 3888	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	92
PID 4776 wrote to memory of 3888	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	92
PID 4776 wrote to memory of 3888	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	92
PID 4776 wrote to memory of 2044	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	93
PID 4776 wrote to memory of 2044	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	93
PID 4776 wrote to memory of 2044	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	93
PID 4776 wrote to memory of 1948	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	95
PID 4776 wrote to memory of 1948	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	95
PID 4776 wrote to memory of 1948	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	95
PID 4776 wrote to memory of 5052	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	99
PID 4776 wrote to memory of 5052	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	99
PID 4776 wrote to memory of 664	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	107
PID 4776 wrote to memory of 664	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	107
PID 4776 wrote to memory of 664	4776	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	107
PID 664 wrote to memory of 1752	664	AdobeCreativeCloudCleanerTool.exe	109
PID 664 wrote to memory of 1752	664	AdobeCreativeCloudCleanerTool.exe	109
PID 664 wrote to memory of 1752	664	AdobeCreativeCloudCleanerTool.exe	109
PID 1752 wrote to memory of 3740	1752	ACToolMain.exe	110
PID 1752 wrote to memory of 3740	1752	ACToolMain.exe	110
PID 1752 wrote to memory of 3740	1752	ACToolMain.exe	110

C:\Users\Admin\AppData\Local\Temp\95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
"C:\Users\Admin\AppData\Local\Temp\95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /X {AC76BA86-1033-FFFF-7760-BC15014EA700} /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /X {AC76BA86-1033-FFFF-7760-0C0F074E4100} /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /X {AC76BA86-1033-FFFF-7760-000000000006} /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3888
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner_v2.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2015.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2015.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 2244
    3⤵
    - Program crash
    PID:4180
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2021.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2021.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:5052
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeCreativeCloudCleanerTool.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeCreativeCloudCleanerTool.exe" sudo /Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Helpers/Acrobat Uninstaller.app/Contents/Library/LaunchServices/com.adobe.Acrobat.RemoverTool Uninstall /Applications/Adobe Acrobat DC/Adobe Acrobat.app --eulaAccepted=1 --removeAll=ALL
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe
    "C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe" sudo /Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Helpers/Acrobat Uninstaller.app/Contents/Library/LaunchServices/com.adobe.Acrobat.RemoverTool Uninstall /Applications/Adobe Acrobat DC/Adobe Acrobat.app --eulaAccepted=1 --removeAll=ALL
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe
      "C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe" sudo /Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Helpers/Acrobat Uninstaller.app/Contents/Library/LaunchServices/com.adobe.Acrobat.RemoverTool Uninstall /Applications/Adobe Acrobat DC/Adobe Acrobat.app --eulaAccepted=1 --removeAll=ALL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe

Filesize
6.5MB

MD5
f40111f2ec18859799264e204ef97dae

SHA1
f18a56eabd4ca0bf1ddebc546a0bcce8e34a9783

SHA256
7f413b98b6295508d19f4b9b5c1842104b3ae1938898422fbc6855e7cd042fd5

SHA512
85332357d6a19fc57106a4208d1c9d37f25688953698c70dd4d3bb498e3a0841f986f9ea386b4c9b19be143a02b1709a98059d0e17a3de2bdf05f306a9e24ea3

Download Submit
C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\en_US.txt

Filesize
2KB

MD5
30cd177a4424d4229d8a1fb25a6b1e28

SHA1
b888b1d16bde18d24cb23c8b6b19ff59843c5001

SHA256
388ec8c0e2524f39c04bd9eefcb8a9f54be1b84a7f48c6cdcac26ef4fcb476b8

SHA512
749833e12a2d32b8c56275f41b68c0a867ac42064045fb0cec9ff47b0994657e42e90859d0495f1bfe25c34674c5adfbef0af4df0c62ec28dde6226de5736b36

Download Submit
C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ja_JP.txt

Filesize
3KB

MD5
5e05dc88dd24e414541c8dd0f895abc8

SHA1
27e139e6f31eae79a51530e99720248dc39314e7

SHA256
09735466b479511f776d332150cd90d444d9d4c6572220ea02d24425a053be5f

SHA512
46ed0efdc64692d8bbb7d171e6d9c5cc460f17affdbff29f4171cb3d1ab8de56dc41c34c9f3252f5bcefedcd0200a1199494fdc7f02491dec068ea46f2bf6250

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftLogs\AdbeArCleaner.log

Filesize
25KB

MD5
dc181950330e2c2cc866438240e67d4e

SHA1
0be388b80ba19a2689bcf38cf8810e9c6f21721d

SHA256
f2ca078a9b237d31ad940be2a2cbcbeb48747fdd4e623f81b0894adc9af08f78

SHA512
185ab787d8d5741ba433891640f5ec973e0330b1742408b9ba8a27b0ac3fd08e6418fd3d120887426fb8093fc52e409e1ccd9eec15e46b2cf8bdfee9b415770e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftLogs\AdbeArCleaner.log

Filesize
384KB

MD5
b457f393624d0ac0efb4a35f8c986c51

SHA1
5472a51c72e2c6c8368319209549eaa9643107de

SHA256
78bdef97860197d3f36ecabd546cb01ad844c213910545f3f1c9a68bf6e89f89

SHA512
4202f086d8f49c0151949d0892216efdf2733e9c899f821ba9911de8a0555a6c90ee57b9c5b07be90c139aedbc6e3d124cba5629fa133e55c1ce0e0b2ef1596e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\Acrobat12Files.xml

Filesize
11KB

MD5
59fc9d58353562e706c2f3ff2a7f02f8

SHA1
7ff1bd1f0c2fc3ab3d277f7ef0a6125d3be9a09f

SHA256
9052022200d8f9e2fb9e77455316b84b2078879a915ff9fb96978343118c2718

SHA512
8e51417caaeda7f6fa6b921c250f2ffa02003e28c8132fe1c9632b5d80d318646b8a9e69fc983eb472f090d81df03ab9a3645653c5e89810e14b1c886f717c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\Acrobat12MergeRegistries.xml

Filesize
237B

MD5
2d20ff8a511675ee6c565c967373ec05

SHA1
732a9a4df7eb675b707a04e6d3ec6aa6fdb3f765

SHA256
db977007fe5e9dffd8475feccbe17e3034db063c20f1ac88c26619d0efc92f3d

SHA512
5ce4dc7c76797cbac2a248eab1e9e6aa4286e2ac37b09da1daf8539da2d6a8ea4133953d8dcb3634108a3d721c2d067d8c1876afdc11ad3fd93bf39ea2f282eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\Acrobat12Registries.xml

Filesize
211KB

MD5
4b7514603af05af489adafcd43612a9b

SHA1
ef6a90d7916d7613bc51c92a6ff2a4bfc4565d6b

SHA256
7660d9e801006058a908ead8dfcf4199c0be3f44e26e068edf24041824819230

SHA512
437db8301240467295e465ac08d9c48187d4fa4dcf4c13eae94644c08249c4b852d516b0b1b40df70dda8507deddd84f7f01b166d9c39e779ec7c612baad313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\UserFiles.xml

Filesize
9KB

MD5
6128efda5177131423fbc779e7527462

SHA1
90502a3ba004a0e0fd5d34d41c4b6d49ec4a0938

SHA256
9b183d89a467de99c038fde1e93b92f2b93ca2a228acb0c8b965ec787859725e

SHA512
72ba36c77b35d2e2d92287d1f36b09075e7df0e5d7d5f7c9b0b7bd891f6db972b8154520a94611558946a4bcf8f6ed15436461f9626fce2e8788dac79231cfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\UserRegistries.xml

Filesize
10KB

MD5
3f4fc94063b4e5c1ce90eae4031449fb

SHA1
13a4397f903484bfc18503124a239b4adb257f82

SHA256
075ab4a8eb16a8d1dedd7e3ad7871442b9ffe33a20dd59b7ce7e4366584e14e7

SHA512
4759e5ffe54f91c28915702a4b68398c55b949cf7d7f0208f43411a8fef60b97100c7a714c47d003b810cfdafac84a788e0e77fecd083e933a20aa86cceaa072

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner.exe

Filesize
2.0MB

MD5
47fb9f02f83dc4797b2989424ec3cc95

SHA1
09fe7d3777833add1153d8f54d3a453a3bae4524

SHA256
ecf73394229a4f060e31c422b2e730efec2d49200bf0ff60d220cb6202e0cf17

SHA512
2c3530e97d1b45ce65989bbe05780b9fd780dc066362d26a69218a34f393e145624514630dbfb119d7a34478edd3e0edb0b0b1a13d4143cb4d1b1fedf4bf92ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner_v2.exe

Filesize
2.2MB

MD5
1d59933af6493bb3327f939dc89f0145

SHA1
7223f76424e2a5afab37fd068dbe98ff2690e8e2

SHA256
f134cdafd92d95428e8b5795851621e493936def21c2c1e6bb084c8630d826f4

SHA512
db85477008c1eae4ae6ce0ff9d6d0ff02cc40b595190dff0f9622109b47f0a07075848143d649e0a020354bc3dda4f60c89f6b763d4faa986a2e8a107cfd54a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2015.exe

Filesize
2.1MB

MD5
3a7912e4ed0053166b5955377094b1b5

SHA1
95e1746b53edb3fca3db0f1de01f6a215730304b

SHA256
a6a07aa438d8eacdc7d1502168d02b7d49bfeab6792c0c4363acbe0bcd7216ee

SHA512
2e0a6bef9950bb556589360dcfd75344d03fba7528cd8a0ad55c3272de6885a0d3e9232e357b7506cf2a8d2567f1fccf83d6e75e2bf31f2c288a14ef3a261163

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2021.exe

Filesize
2.7MB

MD5
8690f654b1f942ba8d534136f5f01f8a

SHA1
ad712610550f794d8e57d037ab6eccd9f1cd4f3b

SHA256
af48d67ac8f753ee0a9784e0fe17e4c0419849ceb3a80a3e4533fd9aa2d0aa78

SHA512
45d3a5ff276538ad3d83f6f5cc40c189d8e229c47e21e8c06c4d29d66bae86f175ad98bf32dc09c96c8e44d1ae32e284ddc1ac42f3f9a188054844dd08427757

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeCreativeCloudCleanerTool.exe

Filesize
8.1MB

MD5
e5da70938aeb54b3b14abf9e65c29d04

SHA1
3284e1c5103c92c85946957c9501efff0660e60d

SHA256
3323012c634fdcd01e318febc533086b4e8c953326e9a97f645d3d954413f747

SHA512
947baa097936754f633af830a1623db53e24accce6b1d2c37ec99275a9625adcf189a2fe0adf255fa3282bb2a18fa0c301c5310074085087329999f33006093f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\ACToolMain.exe.manifest

Filesize
499B

MD5
001ce64d40f5d96cfaed8c3fbca126dd

SHA1
f14664edf8b5d80b12608c36fd8568d59a4ccaa7

SHA256
6351b663c952000efabe581f2c10db0505b2bd973f35f90344a27e1763d3be39

SHA512
176a3c12d27d763486127efa9c8fdbc1c646f7cd52593fb71090c1a5f28bc353311de59a6f5896cf5c254dcf5de193548055ad347fe748e74c034b5eaf917655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\PyWinTypes25.dll

Filesize
120KB

MD5
512d382120cee043f588adb419e74a9a

SHA1
03a945e6fa92656cde8c51f3d3f12c72c0b534c8

SHA256
ce0ab6842646ad2312e50f6af16fe409710a4f4caf90e8d77bc041a6ae1d80a6

SHA512
d6a27f2e4c740d37094af61001f155964d34b69a4994b84a7210583016ba92a7458c9fb28ed57365afb6a25542c4351a47bca6ea8a2310b5760bb0a2d513b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\_ctypes.pyd

Filesize
80KB

MD5
019603557a38c54685fa9701347f61d5

SHA1
2742f8d4f4389735c673da86ca996d11b8765910

SHA256
14947d2369718a54aea0a39d9d1fbf34be96eb1f61be75d9330620cf2e821ed2

SHA512
ea3e4c05dd3ef4f002ac7dd8fc8330a3fa4ae7bd7a0e997147eecdba38efe528a0a4d09d2665537c3cce570d56a04ae447fc4be7f6818f1b968de110e4fa7a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\python25.dll

Filesize
2.0MB

MD5
d944becdd81caf160e6b2b3604291807

SHA1
656a376eb618cabe3bd255042ab2f2af7dc40985

SHA256
109e0a699a455f819b296cf17bfa89a55c92be9b61978b49a3c9b21c7595e5bc

SHA512
520b413671ef6997431fab54e7b7151674c484517f6879183d45a26d5f85f6beab2708925e4000bef15308845ef4c8e16e163bf1abf16cfdd475c311cde7776f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\pythoncom25.dll

Filesize
332KB

MD5
57e1d877a4590ab0cfd08f045196136d

SHA1
9576fb239666c9e44e08bb5605474a46aa42afa8

SHA256
ef537876ffeb4ce20b5dd7a18f444fdcca49562927ad27fe2b63ac0557c35bc1

SHA512
ede517807efb7d286c776e6525aa33bde37af967b4304097a8da456a99faad6f52ccc165fa4e7b0346932dc485f1a8874403814b87b27a593c9c7a8be580e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\win32api.pyd

Filesize
104KB

MD5
6963b77ba2242514663ae52901a4fe11

SHA1
8086f59c4a7b2174fb7501923f22937e3ecf8215

SHA256
ffa18d3d344c133904854f81a999aee7a7cac4784201aba07ef4f3e1b6fef6d5

SHA512
6261adad18fd4bc2e5e160a737dfef1da99b563743ac353df77b2fe56267270b6ed00be073bdf6b4aae0ad44abd4f8d9c44cd4c43b6b6a14cd9b664e9ff1f75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17522\win32file.pyd

Filesize
112KB

MD5
7a413cbb37b41d21712ccdba93e88d3d

SHA1
7a77b6dde51ed56b1647609e7f9b0fcc245e597f

SHA256
c6f524cb79c109f16c4495a44879845e74af12573bad3d3456ef0b98bd8abbd3

SHA512
40fa7ed0cc358454e0007488c95f328c6ddfd012e9d59575f59ea8a2ba69dc5a60d5f389b8f50e9f7e562103a187d0dce2f8cdf305b74b10ed040ee3ed7e51f8

Download Submit
memory/2044-92-0x0000000000090000-0x0000000000325000-memory.dmp

Filesize
2.6MB

Download
memory/2044-57-0x0000000000090000-0x0000000000325000-memory.dmp

Filesize
2.6MB

Download
memory/3740-224-0x0000000002220000-0x0000000002279000-memory.dmp

Filesize
356KB

Download
memory/3888-46-0x00000000002C0000-0x0000000000515000-memory.dmp

Filesize
2.3MB

Download
memory/3888-20-0x00000000002C0000-0x0000000000515000-memory.dmp

Filesize
2.3MB

Download