Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-09-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10-20240404-en
General
-
Target
new.exe
-
Size
45KB
-
MD5
078f1a2a913ba70371d443044db7cc40
-
SHA1
44010076b38bec2436aa1b853a9670090852744a
-
SHA256
413fe778ab59f6f665df797beb735c0fcd5b43ef69c24095114284c65a257d17
-
SHA512
5d541ba26857f1d6c94a74aa66452b9471b516dc3db08e185774a6e4058f6a727a803872e9e1bc9586ac50f3abcb762fc3c28598c785e6ec441fb8da2e725e8e
-
SSDEEP
768:Tzl6vbR77QVBgqtpYhoQWxZIiqBXWPXCN8z5us0BOHtokRCvM+T+rU0mdId1/:3UbR7IDmJBXWJ51nHtokRcM+u5H/
Malware Config
Extracted
limerat
-
aes_key
123499
-
antivm
false
-
c2_url
https://pastebin.com/raw/ZJ0Dhft2
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/ZJ0Dhft2
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions = "256" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\DisableExceptionChainValidation = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions = "256" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\MitigationOptions = "256" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe MsiExec.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation RdrCEF.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation RdrCEF.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 9 IoCs
pid Process 4152 RdrServicesUpdater.exe 944 AcroRd32.exe 984 RdrCEF.exe 3564 RdrCEF.exe 4180 RdrCEF.exe 3116 RdrCEF.exe 1544 RdrCEF.exe 4676 RdrCEF.exe 1724 RdrCEF.exe -
Loads dropped DLL 64 IoCs
pid Process 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 3568 MsiExec.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 984 RdrCEF.exe 984 RdrCEF.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 984 RdrCEF.exe 984 RdrCEF.exe 3564 RdrCEF.exe 3564 RdrCEF.exe 4180 RdrCEF.exe 4180 RdrCEF.exe 3564 RdrCEF.exe 3564 RdrCEF.exe 4180 RdrCEF.exe 4180 RdrCEF.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 pastebin.com 3 pastebin.com 4 0.tcp.ap.ngrok.io -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe File opened for modification C:\Windows\SysWOW64\msvcr100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcr110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp110.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib110.dll msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4812 set thread context of 2996 4812 new.exe 73 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\uk-ua\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\css\main-selector.css RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\themes\dark\adobe_spinner.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\selector.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\zh-cn\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\themes\dark\Close.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\[email protected] RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\organize.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\eu-es\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ru_135x40.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us_2x.gif RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\css\main-cef-mac.css RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win8-scrollbar\themes\dark\arrow-right.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\cloud_secured.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\pt-br\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\themes\dark\x.cur RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\de-de\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\de-de\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\selector.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\plugin.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\error-icon.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\comment.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\illustrations_retina.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\js\nls\cs-cz\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\images\themes\dark\s_radio_selected_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_checkbox_partialselected-default_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_reminders_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\move.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\rhp_world_icon_2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\en-il\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\images\themes\dark\icons_retina.png RdrServicesUpdater.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e58b734.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b739.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b741.HDR msiexec.exe File created C:\Windows\Installer\e58b759.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIDC16.tmp msiexec.exe File created C:\Windows\Installer\e58b734.HDR msiexec.exe File created C:\Windows\Installer\e58b741.HDR msiexec.exe File created C:\Windows\Installer\e58b74d.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSICA9C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICB1A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDDF0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e58b744.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b754.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIB6DC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBB98.tmp msiexec.exe File created C:\Windows\Installer\e58b72b.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b72f.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b731.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b738.HDR msiexec.exe File created C:\Windows\Installer\e58b73d.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b756.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIC9CF.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58b759.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIB73A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBABB.tmp msiexec.exe File created C:\Windows\Installer\e58b72e.HDR msiexec.exe File created C:\Windows\Installer\e58b72f.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b73c.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b73e.HDR msiexec.exe File created C:\Windows\Installer\e58b750.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIDC05.tmp msiexec.exe File created C:\Windows\Installer\e58b72a.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b72c.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIDBD5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBB58.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58b729.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b735.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIC05F.tmp msiexec.exe File created C:\Windows\Installer\e58b728.HDR msiexec.exe File created C:\Windows\Installer\e58b73c.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b742.HDR msiexec.exe File created C:\Windows\Installer\e58b74b.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIDE32.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDC36.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58b740.HDR msiexec.exe File created C:\Windows\Installer\e58b746.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b755.HDR msiexec.exe File created C:\Windows\Installer\e58b756.HDR msiexec.exe File created C:\Windows\Installer\e58b75b.HDR msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIC8A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58b72b.HDR msiexec.exe File created C:\Windows\Installer\e58b732.HDR msiexec.exe File created C:\Windows\Installer\e58b733.HDR msiexec.exe File created C:\Windows\Installer\e58b73a.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b73d.HDR msiexec.exe File opened for modification C:\Windows\Installer\e58b744.HDR msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language new.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrServicesUpdater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\VersionIndependentProgID\ = "AcroPDF.PDF" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker.1\ = "Broker Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\pdfprevhndlr.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\NumMethods\ = "7" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus\ = "0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\BrowseInPlace = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\0\win32 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\shell\Read\command\command = 3300340054004c006000690060005a00350028004e0033003200260028006a0046007b0029002100520065006100640065007200500072006f006700720061006d00460069006c00650073003e006600570044004b003600510062006e006400390033002600280053005e0046004a006900340030002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdx\PDXFileType\ShellNew msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\BrowseInPlace = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.fdf\ MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C52A2CC-66F1-4B2B-A9E4-9723791F0BBD}\ProxyStubClsid32\ = "{671B6145-4169-4ADD-9AF3-E6990EB2B325}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.XDPDoc\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\4\ = "NotesDocInfo, 1, 1, 2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\TypeLib\Version = "1.1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\AuxUserType\2 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.SecStore\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\SecStoreFile.ico,0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Read\ = "Open with Adobe Acrobat Reader DC" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Read\ = "Open with Adobe Acrobat Reader DC" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ToolboxBitmap32 MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdfxml msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\TypeLib\ = "{7CD06992-50AA-11D1-B8F0-00A0C9259304}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\MiscStatus\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\Content Type = "application/vnd.adobe.xfdf" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\6\ = "3, 1, 32, 1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F1E6C7A4-6B15-4C06-B1EF-88A4F2A886CB}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\HELPDIR msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Read\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Adobe\Acrobat\Exe\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.XFDFDoc\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus\1\ = "131473" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\Shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EC-4981-101B-9CA8-9240CE2738AE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\Insertable\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744CAF070E41400\Patches msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fdf\Content Type = "application/vnd.fdf" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Read\command\command = 3300340054004c006000690060005a00350028004e0033003200260028006a0046007b0029002100520065006100640065007200500072006f006700720061006d00460069006c00650073003e006600570044004b003600510062006e006400390033002600280053005e0046004a006900340030002000220025003100220000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\acrobat2018\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ProgID\ = "AcroPDF.PDF.1" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\AppID = "{F2383816-917A-46CC-AD2A-5013BED3800F}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Control\ MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\shell\Read\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\PDFFile_8.ico,0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 1816 MsiExec.exe 1816 MsiExec.exe 2996 RegAsm.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe 2996 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2996 RegAsm.exe Token: SeDebugPrivilege 2996 RegAsm.exe Token: SeSecurityPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeDebugPrivilege 3568 MsiExec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeRestorePrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 424 msiexec.exe Token: SeTakeOwnershipPrivilege 1816 MsiExec.exe Token: SeTakeOwnershipPrivilege 1816 MsiExec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 944 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe 944 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 4812 wrote to memory of 2996 4812 new.exe 73 PID 424 wrote to memory of 3568 424 msiexec.exe 79 PID 424 wrote to memory of 3568 424 msiexec.exe 79 PID 424 wrote to memory of 3568 424 msiexec.exe 79 PID 424 wrote to memory of 1816 424 msiexec.exe 80 PID 424 wrote to memory of 1816 424 msiexec.exe 80 PID 424 wrote to memory of 1816 424 msiexec.exe 80 PID 424 wrote to memory of 4152 424 msiexec.exe 81 PID 424 wrote to memory of 4152 424 msiexec.exe 81 PID 424 wrote to memory of 4152 424 msiexec.exe 81 PID 944 wrote to memory of 984 944 AcroRd32.exe 84 PID 944 wrote to memory of 984 944 AcroRd32.exe 84 PID 944 wrote to memory of 984 944 AcroRd32.exe 84 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 3564 984 RdrCEF.exe 85 PID 984 wrote to memory of 4180 984 RdrCEF.exe 86 PID 984 wrote to memory of 4180 984 RdrCEF.exe 86 PID 984 wrote to memory of 4180 984 RdrCEF.exe 86 PID 984 wrote to memory of 4180 984 RdrCEF.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 126A54B790620021111B1E78AD68935C2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2EB86C53B501CB71B84805B5C4C440B E Global\MSI00002⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20069 19.010.20069.02⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4152
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1A38888587D3417ABEC2F37E9A54BA17 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8CE798235FE8FDECEF98EC12BE26886C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8CE798235FE8FDECEF98EC12BE26886C --renderer-client-id=2 --mojo-platform-channel-handle=1612 --allow-no-sandbox-job /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4180
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D9F0CB7FE407FCD7156C4266D48C6D5 --mojo-platform-channel-handle=2204 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B246308872BE08BB32B84615DE54BF44 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F741AF35C2E6A1C0BBEFE0251E028EA2 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4676
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B86E5DB27C7D15618CE04B560E64F3B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B86E5DB27C7D15618CE04B560E64F3B1 --renderer-client-id=8 --mojo-platform-channel-handle=1896 --allow-no-sandbox-job /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
632KB
MD5ad7006e9b04b97cef0fbf396fbb23843
SHA118caaee320f53485ad8b062481fbae3da685edd6
SHA2563186052bbb848ab8eee52e5885667862f7874448f234119e470c375064d49cb1
SHA5128b3f9663e422b2b6a15ff82cee0876e6a42aef4bc0775ea54bfe13c63e9dc4e62d400309084c2f6abfdada99e651dc22408ddc54f1184d756f4bf2bdf0cde833
-
Filesize
24.8MB
MD51248c72c9c64a59abaa6b7c3d23f90a9
SHA1b4c3778574c39f7e64bcc3b7b0e42c577e937504
SHA256efe7823887f5366e78a53b1992e65afca89f4c0149c54d5e4c0d746c6d4c8ab9
SHA5126e3001c2f282b00430d15d8359be1ee1d3541b49c1fcdc02f0dc433ea0b470b52387772866f08ebad854f28b6ff1123e9015d25916ba91aea014fb96821e6b3e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_remove_18.svg
Filesize711B
MD58bb62cfad37334a15129a0da2091d472
SHA1a9f223eb2bd355c8cbf7d17db501db834f39cb6c
SHA25694f76b160568e3705f1e0d2d6ff3ee6927bd812032498d373bbcc516af2864f7
SHA512da08c15accffeca9c1ec985899ebf234aa881546dfb80862c72bfe206dfbf92772582ff87c0636ca0a4cdeeb03635de7a24aecacba86e22683a1d689724d6dab
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon.png
Filesize445B
MD5ed537606a39879a091a8c085cf95ff38
SHA186c73d85094efbfdcd80abf119f03b64a71cbd0f
SHA25642c312aa2a038ca54e9a6fe4bad8c9c044c35b4c5f421496f289c00c957d7591
SHA512fc331c2e1ec84a6a83b51f365484033b3069d73c5987094cf526c45a92c3297df22fe2a35ec20382ed4d563ee604ecbdbdf17fb735f7e0118ab444b4d5db8e9d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_2x.png
Filesize611B
MD537d179c947c13f64b7b6356f57441032
SHA19d1c1bd0c370336c229baeb2cd7f80d7b3cf4d0a
SHA25671039e6370f68913e67cb8451d3127c22d3e1045ca644e4dc9821e9f6f6899aa
SHA5123034a8b9694bbde20be0f7fa2596fbca8fd3f1e45810b15a5cb1a2bc6f4ef852afc36639a56f82a4e582d74684724d5c4ee43cbf5e33c94c6cf00b3c059757bf
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover.png
Filesize388B
MD56d8f7e9751f955452a9ceeb815456035
SHA1e6903b2ec0f2c5632d4288f88d993d4a41f04527
SHA2568bcf53efcb1b630087d4cfcedf5e48a7abaa9c71dd13745eedfd2c7cfa6827f5
SHA512c869a94a224bce8ed553f5a86ffdea6d8a279e06a1c060b311cc52e4538b89e07fc0a4a76f85a28e2f62e8629a7c67101e990cc12bef2d0e2d6d7d3c1d4d7d90
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png
Filesize552B
MD5f364ee8508831e375004ac82b924efd5
SHA1b04bc510ef53760bdd22ce0dd9d2e2f248c16df7
SHA25687da831caa04bd303918a32265830ff97648dc8adc18881ba14d1cc1d28cde85
SHA512399b2da615c0373214e3cf421f502fd0de02bdb9473da644e9f23df9ea7fc792da7d36bde61a456c2451276f74877232c8bedbe55e57098c1ffd13719206bac3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png
Filesize388B
MD539be6b8bd8dce3ff5a1c20ac41ba993f
SHA1a49d8a0c769601bf922c8aa1673bfd3a92d67855
SHA256854a09f1f875a3a2e6566c593af465c9c8a3aa9b9112eb755bb09cee76224a63
SHA5129fd5d4f02aa9d24ce9591ac0542d0abadf2b26208c3043220d2a0f036298199131ad804f9be20c6cc67f39e2921eebec65efb3a1e435ee7318fd8591fcc2fa2a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png
Filesize552B
MD5b34c8c3b8117b038839beefa0df5a7ce
SHA1c8d1e8eb4c71d5aa02e36fe3b7365374a9e4e32b
SHA256bfef65c62bfc309f698e8e0b999edfc06ad272b87d805f183551c43f08d704a9
SHA51289fa9f31f62c6e119e6280dbc475c35dd7bb37c27457732a0b1cb04809a35fec44a12ccb6a3a626586d596a0636d754a9ff79ecd9ed739c5c6edea50738a60d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png
Filesize388B
MD52ca9f57d61ed45337ec4e6565480367f
SHA1fa06ed14d72ad8ced6ad98a4e223bc80cccc5e75
SHA256a584379ebf9aa0d3c0239edb7e1f114f01a9865f01c68494d5f28d410ba8d873
SHA51283a172f2f304b2f634c313e248b62c11b7798f416872929ef233134bfc4ad8f44b1b4dfa123e8378a233417e1298a73088258f5671ace96ff677d1f26447de87
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png
Filesize552B
MD574af10749d7f19d15c8dca65a7453415
SHA1dc96d9dbffe472600548dc64c724055e62620d8d
SHA2560e0084df79ab98e5df48ed1e01987f7ac3fcf4a038dd5453708d868f73a073a8
SHA51283d190bf6f9cb77894e7aaf84029c40a2a0335e43d08062ca2275a2cb7a784a29b3b7b8be820c7dfb2f1458ab0528fcdfe45f05491be673b30495e1ed916999e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\icons.png
Filesize7KB
MD5d3963e6fe853dbd9d22f794d5ece4c48
SHA1db35a3e565d0b6dca7ad243443a5560a1247eb33
SHA256a870c4e9ff6c433b5583a8f09fcdfbe712241c7e7d64cd59a10c2ad592f64fe5
SHA512fe60a1b2a20d3c11152df2d6fbee05c3d6b80c89486d258dd6d318c3f89deef3e91a116c502c117d79a5020489e394194310f5c7a7ea3d4b7d284ca5a3e43ca7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif
Filesize7KB
MD5d4585d0ccf35ae69b1246339cfb46b90
SHA11fffc3492684a5db89e949d2d8b612eabb38994b
SHA256d6707a7a393687bccd92de05cecbd746be791f3a670cb4fc106252f49d2a0a2a
SHA512a85560cabd3ce3dd21177948884a921385c0325b431dd281edda61d3585a69ceef28cb339c5a88d167597451ce22d54828b03d69823b5737bf3e253bd9bda9f6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_retina.png
Filesize15KB
MD57045217d47de04c1d72eea7413b780c4
SHA104c73e38fa17d35a1f684577cc79d77615c09e02
SHA2568c659d0904687a97d9c6b649e4b74e99b286265e92252908824efcd07f956b66
SHA512abe433cb154598ad2c0de6070d6e75bb70274a58ce92007ce200201f788553517bb579b0df5cbde3b4f2bebdca1243f0e54836d125d72ea206b3ccba1d15a385
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons.png
Filesize8KB
MD50e366a48bdf6a3b140508e56eed0bf0f
SHA1bcd76a4a537fc00d8c468b9496d3d5b5dd6a2a7e
SHA256a311b5a78e1b856505337b90e53edb4ba380160234e1b4e8801c231ba8d590a5
SHA5121830e3e260a50f79553673bec5775c0ba623284d233c25a2da016f273e67e218f5d2f49bed5f9e68842c7dc14b852e979fbfc7ed336f9a34dafd04a48742f827
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png
Filesize17KB
MD528a435033f504be69def6f9d52efd2b8
SHA16f50318e05b79851a445f98d4b3ae3d65feb22ad
SHA256f84c7c93947e86e2a499117d4c55910de9fbaefb6d703a8d0f90f4867c69c182
SHA512a2b410bb6bb328eb1e3af794259bacce7918f44698c8145fa530af9be6bfc22a064c1f0ee5d7ce289f4a60a50fce9b56a720793d19ec477340b1d7ef158df6b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\bg_pattern_RHP.png
Filesize179B
MD5117ec36a5cc6d82e63e8b3beae4a3099
SHA14c692192be53827f8ec8015ceb129f6e0f89e923
SHA256041917c06c638a1b1accaf0d2f0b2a6dd335dea629de602e104553024d822ea4
SHA512abb02a02a9161ece12464020676e880f1eed96b43a9dfd4f7ca06dc203fe633b0a712da5f151d36a5644d65aad7b2880c135df0bc42d7c1e61b44006807a8c9d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\illustrations_retina.png
Filesize19KB
MD5ff84cb8f89545b86e32abd27a9694e1e
SHA13cde537531f8689772bc9eb39a12c687da5d5225
SHA2568b32854c17056ea617a680cd26ea91015e77d68260f656758984583eb6895a87
SHA5122690d712ba02fbaa769689d0eae380d0988721c6fcb710e04e1e2aba56496cb58f5d4168fe75540139afce179b1250c2ceb11fc4c3d589a3615ad20dccacc8f1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png
Filesize703B
MD5ccc8d470e94b3441e41521572ba86ccd
SHA1d294d7e78b596fefcc8084fab7917c54d3043e27
SHA256a7cdf870b0b1b8459e94ed25a29daa87f5e9050294bf6cdff3bc72f93b928f94
SHA512f3b2ca4d3160a089f6959b7c8e3e6c213c0facb2733f7948a7222196d3bd8c7350015602569df2cdc7408e38b0ff6700306d7e3439f0892b4d13d9f2d5329e42
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations.png
Filesize8KB
MD5f6e318123e7ad5933a49669eb035c737
SHA1ed8938fa3c13af75978bbd0bcdd3e8bd40a02004
SHA25619f68990146444907956056019aaee514c522c3c00ae00604da44a1bec2f8f51
SHA512b2506a283dbdcf40ba0cac63b4fd0249463218cc9511ce52cae5ab8c36706090fc1f1942f1082204dcdad5d80e7b655d9e12326c820ac21f64a508999e130743
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\ui-strings.js
Filesize1KB
MD5d59d8ff7aaa17ee875adbe48b7a77e78
SHA17405acc07f6137b7fd9575f99a2b4354135956ef
SHA256d74c0782682efde01c1c30e46814256f7d16d7df00a7167d90f2bd55ebaab626
SHA51263fc8bef9e8ef833e45d99f954a9eb99d6bbcae39b2eca8a7000ac11b976cdd0ce0581e5e5e6b2f1bb2bdc911e31690e503dad945f0a3ea702dfe404896eded8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons.png
Filesize683B
MD5a0522ef468697e74b90c444ceb4aa17a
SHA131fa5bb9b4ada150c9001b6e9f3213644117187f
SHA25657804748e775c08ae188b4d860f31e4482ab99b44ed1d8489780daa6756fb11c
SHA512bbb91f8b3c204c4c04da2ad635eb18e9f224f73395dac509c438c0a645316162b6ff78e03e7af76d5da2d9e84cd0c4b5e9db1d4dc08bc3f524bcc55c1f4dbbd3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons2x.png
Filesize1KB
MD599a1fefa123aa745b30727cc5ad50126
SHA1c48f74cee78f8ed8463634d80c4112f3e12bd566
SHA2567a610114be56ff131462bc67f9a23bcd4fde4fdd0158691448ab9e4a3eb2ca3b
SHA512504800f03a4aa57c1cfa15b28542382728b5f3dd85309fe12ebfd711980d78d15d8241d5f54956ee41da2cd65203b7764ab7b15119457b74ebc07fcf8e55a742
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ui-strings.js
Filesize1KB
MD53dde11f8594519f004ded2687db9b90e
SHA1fcf1854df851616a25d7cf1439a9120b16902420
SHA256196c132938d324c62184ddc85bdb1cd642af830712e0fbf0fb3230978316d510
SHA512adc2cb3a37dbf5fe2ae79f5752c0d38d2427a95e333e848ffa113046f630eaa967b3cb29c049dcdd9b921d57e23392562d779c24207f770aba6e92392064f17b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js
Filesize823B
MD55e884e2f05ac036b7a6cded3efc2ea2d
SHA1807c1cf1bf0943404601b6241bf4bcf9fcc29c9e
SHA256b333de3a4a7be7749b82302085ed26ad868f0f8eccd09d2a8bb8840414e624d6
SHA5126665aa6fa35e05d01a4a2312a93faf52d6b39409bfaa861c187b0cc2fc51e74aa253ebf56061872d548cb6d3d7bbf1f7c2568de81e5287e0a1d6591c1e780f15
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css
Filesize802B
MD5bfeb063e064c71e44ce75898e79c61bc
SHA1c4dcb4b6814cbee53b415a2a5df02fa500510ef3
SHA256af439ebb0d55750003f7dbec517e7b0b26a6a0506b21e3b74d800cd1c7faa004
SHA5120835ebe63867fba6d69a25c83dca767ffd9c57907ba76d9c71012be18510e2145a358d37c1cf4e4ad35d1cdd4f67ffd5928e70e18a376db607d8482356f12219
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
Filesize2KB
MD54c27ad089d04cfefd979d56f2a67b172
SHA163289f9198ee4553759b07de7a4229ad370fa976
SHA256e34bcd5b8436d3bc45f98dd913d41f185c6b06326b66937d6e0d5c6434b16fe7
SHA51223f9283f769fd310dcac26cac00d2eb033763d73bd45b0d148ea1ec3a3c75b073572c9fa9234699372a7e1caad7fcde7629d004815536df1d39d291f2d2d96a9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
Filesize2KB
MD561bd39ed095fa82ffd334fbd7982616c
SHA151af9c2cd42743c5cf81200e0fba3cfaff801885
SHA256237a70fe0388ce6884f5424692c460625691ef7acb0bf80403ec6b25f348b94a
SHA51254dd8e1a5c19a9d51892a12e9501b7f6f69e09e0c446ec36f7ddfd9ad0d9cef52604ab2f8071c71ce63989510a703f1cfd5492e1ac20c8b37258ba21f8952400
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png
Filesize4KB
MD5543415ad8ba14db1b75a93a551a4abfc
SHA13d4737451e899240fe19daa07f3c58ce9a623631
SHA25603bcfd7fcbd98e48b1954f912ecd66ce0bd5c181da0c2408beed01486ed23804
SHA5127c4bd1cf6fc8d7aeedb1c666ca45c95615927fe76cad3d3c4f4dafc987f4ac04f527ecaebb3103f593eb080302e768fcd77739ce8344ff2e7ec10efdd1113cd0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
Filesize385B
MD5c789d387908d7b7f21c6474a86e84019
SHA11c36fc6954178c43d9249a5ff3c7246057c6aead
SHA256223f32512aec50c1c00fafc476d8e4ce61e79aa748c67b72fe55514882a31a5a
SHA5121cab85dff119b591046049b69b6208283ca5e009d95129bb407df2768c82da30fd2af8debf6f1bbd91f37518538f3ba6bcda32b63d1d278b56fdd1f5f93439ca
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
Filesize1003B
MD5c5aab3d175e0a3753ed2c3bbd7b929c1
SHA13ebee0101ad62449a67f506df9c8e7dacc39f877
SHA2562e187b74e926afe70eafe0648c7125817e99f5586eee3e2e05446e360d4cc1bd
SHA512e967020462477c3e9465e3383c544cf468dd89f4da084193634f5bcdc001b90f5bad3f4f6dda9e95ebe068108986daf41504e02331f4922ea25e7ffee1f27040
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png
Filesize1KB
MD5808971f45b803583d9d1f812803d81b7
SHA10f6aaecba7c976ed8c2f53782b3d3148f41b2905
SHA256c25d9409ddf9645c2731ec785cacbb7568005bfc78fe0aec7df3ae3c4d30e333
SHA512121e6b01125f9e9d4894f7d498bb4d39ce676ce51e29cbcd148e0c1feed46fbc58267cea7d5f66654be831dc479e4643be8b28b005467309b7df5cc7fbcd0dbe
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
Filesize2KB
MD5ad68c0b141ea1dbfcadb540c1817289f
SHA1548a46167f7f5193c5a1335753bc208bf92aa504
SHA256537ac64cd204d7ef82cfe41c932deb9cb1ae738b2156eff4dbf73208384c0a13
SHA512269ae39458a9f30351166f304825b777f3ff143b7914b98e83e01600fa04c7790e6e813466c2a1c5396ce13cd2199792905cf0baba1cd28a420440efce0843e8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png
Filesize289B
MD536503740756a442b7be294947462be83
SHA1a1203ae869deb46f59a3273f6d130e7457bf5321
SHA256d188ab283c552eee50677129f3b0ffd8d97828c4e7007bea258174c9a2200e87
SHA5126ff98b15c7d757dd351bf50a1c4ac759a73fdafe03d5fad506478550987d0ec016ba9e617c099e6bf7b0263846eddc4eb32cb70fb1fbbc1189791defe556967a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js
Filesize840B
MD532147da1c647161e45a1004eb1b16349
SHA1a953c222cce91729ebab36bddd43bd5a795a69cc
SHA256434731fdc6d2f5115c5f7786ac989fedef7d0f60cd2ad4385cc98f6d2160566c
SHA5128c825f8d38519cdac2a49e4ee8a9564ae72839199562ce9acfe72b4fbb94f8946775054782cf26a9566eaf8cf944a26e42b7b372c4e7349b33a8e17dcd13df94
-
Filesize
57KB
MD5c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
Filesize
418KB
MD567f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
Filesize
148KB
MD5be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
Filesize
209KB
MD50e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be
-
Filesize
271KB
MD5f88c6a79abbb5680ae8628fbc7a6915c
SHA16e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA2565ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA51233e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361
-
Filesize
340KB
MD5d07cea5fbf17f2ffa4fdcb38e395dbaf
SHA1c0218a4f53428d71f19f1121b8532b3fe0d178b9
SHA256c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e
SHA51298ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f