Malware Analysis Report

2025-04-03 11:08

Sample ID 241109-1ycnestbre
Target dia-setup-0.97.2-2-unsigned (1).exe
SHA256 8257389d6264742d414404beaaaac869336c91f9f9af1e31ee081aa6e7857f3c
Tags
discovery pdf link
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8257389d6264742d414404beaaaac869336c91f9f9af1e31ee081aa6e7857f3c

Threat Level: Shows suspicious behavior

The file dia-setup-0.97.2-2-unsigned (1).exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery pdf link

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

One or more HTTP URLs in PDF identified

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:03

Signatures

One or more HTTP URLs in PDF identified

pdf link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.chm

Network

N/A

Files

memory/2348-16-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20241010-en

Max time kernel

8s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 3036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 3036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 3036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 100.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

137s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2388 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-jpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2592 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2796 wrote to memory of 2592 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2796 wrote to memory of 2592 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 1624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2592 wrote to memory of 2276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3D768DD3863B2A31534F9D1ACA5446E --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C748B7185E57F3EBA04AD3BB266ECBA5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C748B7185E57F3EBA04AD3BB266ECBA5 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3C6C825D4102BCB3855693633BA45AF6 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50B2FACD009B9532976F15CE9A83873B --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F316EE0BC64A842F93E41447D4D68A56 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5DB7F682F6156A83F15BCBD169459503 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5DB7F682F6156A83F15BCBD169459503 --renderer-client-id=7 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 204.20.192.23.in-addr.arpa udp
US 8.8.8.8:53 107.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 65a4e61a77963a5054054e2afe5af9c8
SHA1 8f194ca6db0e9e174734e5f4d9d8fcd1aea24980
SHA256 785c0c8cbc6098d136d0463ca973669f32dc96d348bf68ff0a6ec18b6be272ca
SHA512 260db5b51fc20b6455acf256cb0a0a03d96fdae18a53e674d1a1ddc56344d85f21d3dcef7ce0de4be87203ef5cda7736b2ea976bd608440af5796fb61e5c7aa9

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3700 wrote to memory of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3700 wrote to memory of 3512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6aca654ba8c2b85cf5f54314185161aa
SHA1 2a6c7f8a406749d8a9eadee9d7bf8f8f5c82de29
SHA256 fd19f5bc1296c061d7804d416a44925283e77fade7ba81ef0b9fc2a4328cce2c
SHA512 f2ac9449d2c09da5bd421c5a330b1ee50b781bb486b1a0caf67c25a60132f05537a73b868f82c71c7b5242b8a982ade89ef33238c8177d85b13877027e3940bc

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4256 wrote to memory of 2076 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4256 wrote to memory of 2076 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4256 wrote to memory of 2076 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3936 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2076 wrote to memory of 3880 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9517C5E50A84B681E4DDFD1A62DA8C4 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=84656632FFB2CD46AFFC342399DB43B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=84656632FFB2CD46AFFC342399DB43B9 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C4490B7BFB523CB0B98D30E69C454D9F --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B046108F9EEA08AF2D2E8EB5A5A7B042 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=66A3A88520A95AC56941AFBBF3CD6D65 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=66A3A88520A95AC56941AFBBF3CD6D65 --renderer-client-id=6 --mojo-platform-channel-handle=2140 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C254B66078C7C2C5BB3CB19AB3431E6 --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 204.20.192.23.in-addr.arpa udp
US 8.8.8.8:53 107.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 8c629d66b264ee4d61cd815b3236c086
SHA1 81ffd2608d8b468da37c4587bfdaee9885d3f88f
SHA256 1e494737c20c61e11962426ace6884de7f3bc7c5dca48aa5ee13d0abc89cb91c
SHA512 f52dde9d4cbb40518b23d8f94778b12e9cf258500d546fb9ddb4badfe716c3e536773ceb97350009495575f6d2799cf1c871b212c96a70e74b7ec71b52f466d3

memory/4256-121-0x00000000093D0000-0x000000000967B000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 1556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4488 wrote to memory of 1556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4488 wrote to memory of 1556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20241023-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240708-en

Max time kernel

137s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\diaw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Dia\shapes\Electric\vcommand.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Pneumatic\cnx.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\be@latin\LC_MESSAGES\glib20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\mi\LC_MESSAGES\gtk20-properties.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Circuit\vinductor_de.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\server_with_pc_router.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cybernetics\factor-greater1.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\intelliswitch_stack.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\woman_blue.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\sheets\network.sheet C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\eu\LC_MESSAGES\gtk20-properties.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\lib\locale\ja\LC_MESSAGES\atk10.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\BPMN\Intermediate-Event-Rule.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\100baset_hub.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\firewall_subdued.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\pt\LC_MESSAGES\gtk20-properties.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\uz\LC_MESSAGES\gtk20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\network\printer.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\et\LC_MESSAGES\gtk20-properties.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\ta\LC_MESSAGES\gtk20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\communications_server.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\edge_label_switch_router_with_netflow.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\flowchart\document.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\pt_BR\LC_MESSAGES\glib20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\sonet_mux.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\locale\kn\LC_MESSAGES\dia.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\pl\LC_MESSAGES\glib20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Map\Isometric\Tree1.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\bin\libpng14-14.dll C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Circuit\lamp_de.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\mux.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\university.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\sheets\cisconetwork.sheet C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\lib\locale\or\LC_MESSAGES\atk10.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\dpt.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\workgroup_director.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\network\patch-panel.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\multilayer_switch.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\router_in_building.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\stp.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\Contact\l_outnot.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Gane_and_Sarson\process.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\BPMN\Group.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\ChemEng\airforced.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\ata.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\pad.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\jigsaw\part_ioio.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\sheets\UML\eventsink.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Map\Isometric\Train2.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\samples\Visio\vdxtosvg\animation_tests.svg C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\locale\sv\LC_MESSAGES\dia.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Assorted\triangle-isoceles.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\government_building.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\laptop.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\BPMN\Intermediate-Event-Link.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\accesspoint.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\en_GB\LC_MESSAGES\gtk20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\zh_CN\LC_MESSAGES\gtk20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\cddi_fddi_concentrator.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\vn2900.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\samples\self\dia-linux-2.dia C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\atm_switch.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\Pneumatic\comspr.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\jigsaw\part_ooio.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Dia\bin\diaw.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t dxf \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\Content Type = "application/dia" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\ = "Create CGM image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\ = "Create PNG image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\ = "diaFile" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\ = "Create Windows Meta File" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\ = "Create EPS file" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t hpgl \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t shape \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\ = "Create TeX PSTricks macros" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wpg \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\ = "Create DXF drawing" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\ = "diaFile" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\EditFlags = 00000100 C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t mp \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t png \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t svg \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\ = "Create dia shape" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t cgm \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\ = "Create TeX Metapost macros" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\ = "Create HPGL file" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\dia-win-remote.exe\" diaw.exe --integrated \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dia C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t eps \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\ = "Create SVG image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wmf \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon\ = "C:\\Program Files (x86)\\Dia\\etc\\dia-diagram.ico,0" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t tex \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\ = "Create WPG image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\ = "Create XFig drawing" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t fig \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 2984 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe
PID 1504 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe C:\Program Files (x86)\Dia\bin\diaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe

"C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat"

C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe

.\gdk-pixbuf-query-loaders.exe

C:\Program Files (x86)\Dia\bin\diaw.exe

"C:\Program Files (x86)\Dia\bin\diaw.exe" --integrated

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nse907.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nse907.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nse907.tmp\ioSpecial.ini

MD5 63432dea8a90abb8e3f2655f8af7be00
SHA1 64df68c0014bc2baa7faa1b8e3c9579f744a4a2f
SHA256 ced3fc554eb3d298044d1420dc16b845dde5f5f12f894d8f1bad03eb88a20e05
SHA512 d0fe1e9a90f69fa2e3f50ea2fc98caf42572d95e4cdac807f4c82f00eb9b1963cde90185ec00822487e1f73e915921ff9319e526c035f2208bb7accb323b67aa

\Users\Admin\AppData\Local\Temp\nse907.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Program Files (x86)\Dia\shapes\Electric\contact_f.png

MD5 769418c2c959df0b58fc44990ab35678
SHA1 8216cce7f9dd359c0397254d08b34c9bbf9f0cf2
SHA256 f4b982b8bd1d14eeec01f2ba81f386b1c7531defa20ab33b93ff4c24222edcdb
SHA512 38657ed89144d7ce9f11af432fbdfda0241d348f02385178277b5e02a3b42650c108a7797b277fd9743bf9e03cbb250ad7f1576e499924508c08c9de2d8465c3

C:\Program Files (x86)\Dia\shapes\Electric\relay.png

MD5 de2be0dc706d9521593a56790d41ddbd
SHA1 eb04b193530b90cd0dd0a30bf79a453e26a31adc
SHA256 38c878c60763942773e08b416d7a57ce4d839618098e0c08f509e6b5c9c0918f
SHA512 064da4939d0a3a01203552e46b9d9fb1031b89cea7aa19c76c724945ebb656f25d28b83fc1c4c05af126b98981b84fc99d702fea9f729385de0fc6bdbe52795b

C:\Program Files (x86)\Dia\shapes\Pneumatic\cnx.png

MD5 a46b4391b54836f4eb77d13a3dc1b6fd
SHA1 7287b898fcf189eccb3657eb80e66f3cc496b501
SHA256 e25947afe63d6c7297934995d5d19315e7dea452804e4dd20f1c0f803693851d
SHA512 ae54933dc85794ad25fc4934586a6e563fb3b1175955c0c0fdf01b870ce01b122599651f299fd01074dba628f09dd82b1c1b70964c576a9f6a10179abe399cdb

C:\Program Files (x86)\Dia\sheets\Jackson\designed_domain.png

MD5 232e5acd595bedf4ff623d0190dd9c1f
SHA1 19f4777cc146d2c44388a74f0c2c44cb2782d92c
SHA256 e344612fc4418b2517b9743e397e628f0ff6d598e779e0e42eb07489f9e9c825
SHA512 ed006138ebc51eaa5bd2b8f862b4e54dd9bdfefe77c6a0165d600ace0d06673759c7fa476ca61f750f053ff1012f9116171dd17529e251173fe7852a7f0fc6ab

C:\Program Files (x86)\Dia\bin\libtiff3.dll

MD5 cfd09d054747280ed660ef7d79d0d443
SHA1 a27dd167551e19ac15adb035608a3ed6a94c15de
SHA256 373a9d90cc37a365e0e22c3efe35f14924f33ff6d778ddccb1603093468abf25
SHA512 b477f033784ceb084a2a383af784937a28b823e550d53e6bc90516f33e3521aeb54416796f6188c72e7a407ebd61673bd09956c50bd5eda8056065099d6417aa

C:\Program Files (x86)\Dia\bin\libxml2.dll

MD5 7ee993251d55a2eab74340d27ff82260
SHA1 15975f2aaf1dab31a7b22af068b531d806bf337e
SHA256 20e6d1109016042147a058f5ec45f0bcd58c290a89380e4d9ec467e98f0d99ca
SHA512 b9c1bf31272dda582ec05d4bd7dd4575962d4c7ac13867785104866cd42b481320368fd9a7a36ae2ebea38edc726e48ceeaa3d33bd70020fbff9afa64d561f05

\Users\Admin\AppData\Local\Temp\nse907.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat

MD5 79f54de0035d4e7431f3ca60a907f0a1
SHA1 bc273d1ea3227a445b86458cc335a72e3221ac85
SHA256 9f040e3e3241fc600cbe21bd72eaec40a455a99f02d8829a801683037907e3cc
SHA512 5c03fcd4c6a65dbdfd707776450946051e2fe3b3df99b4d033515751b2e2062253bb4c208d07c1bfaf70c733c874dcc5c1e1517acb0a0a42f370c1d0608e193d

C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe

MD5 5792bf1e8e2ebc1f00bbd6cbd19dad06
SHA1 f679aa2befee24305fc1fae7b42bfce7b81c6ad8
SHA256 58d880f065930a7a90ffb3a2cd964ab3b02c9a858fe5da880e152a2e1e9bc956
SHA512 bed5097a2adae3d3772203825ff62dfe2dd57dfc854837647fd61b83153420ebe44d45b7fdb9a24820ebeae5ba0c499012f0ae064ee5b54ed73e5a7d41431c3a

C:\Program Files (x86)\Dia\bin\libglib-2.0-0.dll

MD5 18e88b04da123bf05b07ff60a4e96654
SHA1 f46cd8411e579da9f31749809a5707fecb28b7db
SHA256 c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde
SHA512 735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

C:\Program Files (x86)\Dia\bin\intl.dll

MD5 eb2d4c4d4a527bc88a69a16cc99afcf5
SHA1 b326ec4919e1ec9595c064b24853b1e6b71530a3
SHA256 682d4277092472cac940558f9e679b44a6394159e49c9bbda299e33bfc6fdc92
SHA512 009f31cd68a87a40aef4be07af805ab50fac03f4c621144b170d9d3313b1b6a73415f6dd878b048f85afc1b662659a88e4cc89e9a8c76f631f6f1b79d57fd0b0

C:\Program Files (x86)\Dia\bin\libgmodule-2.0-0.dll

MD5 b0b2396fc6413016a45a5e8ca2ea8152
SHA1 d9d2311d1619c1f51b406fee1a17529d3de21124
SHA256 1e2332ed84bb447fe814e9201effe88e682fd9b2da89e2b1a27aef1c786b6589
SHA512 496c8d905a481c3bcacee2a54e0a27cb8605a62d36668dbb61dbb4e23fecb83efe92c4cbb16df0b7276f8938cb66879dddff03c4fca50ca5dd504814982041c8

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll

MD5 ad674e2d99f06c4f81491b287d454400
SHA1 538b92c8850deb9c1a348f713671221daef58b47
SHA256 a0b7226efb9dfce34a7c90f0e91c8b31555c9bbd58c19ac8c761598233fd462e
SHA512 ddd902d5f5a57e6cde20f18645f4f8a81ca81ea7a3f76b51a98303b2415bdddbe37a5cb6cf21becff71d2f359a5de0804336b130be45b7b32ede0b7057737e88

C:\Program Files (x86)\Dia\bin\libgdk_pixbuf-2.0-0.dll

MD5 e4c64b0e7e4c6606f3973a16c0c1ee84
SHA1 0e369ad075b58c09e7c17796797993d67d5a12de
SHA256 c8ff2373d4c261fcd6525a826dbc736d347ae10168490a7a7fc837e76329afc1
SHA512 4fecda9d9f7f3b6316026d8cd507fae32556c40bed27d1fa8c3e7ba4a247ed9a41ad8dd2ee817a1e76afa3788f2484db8227f53148db2f54f7ba53284bb35377

C:\Program Files (x86)\Dia\bin\libgio-2.0-0.dll

MD5 ea1263fb4c2230284f3e30c446bfea6b
SHA1 8118780cf010f3bc1eb2323cb6c2bef4a548ef65
SHA256 433d3c2f00fda700fc6353e1af600937a42407b6f2467aa41bd825e96a79c464
SHA512 48784c89389440c1cacea3d7b70e5a0663474fadf634209cc1c3a8065a2b8aa2884d0ca224e784b693501db436a171b4e0660a051371fe66d1e5cb00a8e296ef

C:\Program Files (x86)\Dia\bin\libgobject-2.0-0.dll

MD5 356d697647a480562c4e2e921b13f8ed
SHA1 1218243c9b4e8e6fabcc5f2eac1adb78002b01c2
SHA256 75b4e8a0757f7db26ef195f3c5e2da5770d95c3af081c2cdae0ec15b460aa9ea
SHA512 4ef4ad1648f508cb3ad5ab446196d351219a28083df096353a343b81a6d699691bb8a77158a6085d00d4c9eae408a0193dac7e3b806156d62bb6ee552dc8095a

C:\Program Files (x86)\Dia\bin\libgthread-2.0-0.dll

MD5 7ad6f303082b382bff7bafbab246c61f
SHA1 8d94c4d4b0633a80e28504a3c694dd2bae252854
SHA256 ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3
SHA512 eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598

C:\Program Files (x86)\Dia\bin\zlib1.dll

MD5 d90dad5eea33a178bac56fff2847d4c2
SHA1 cbbce727fd8447487c7fc68051b24df17d043649
SHA256 104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf
SHA512 8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb

C:\Program Files (x86)\Dia\bin\libpng14-14.dll

MD5 ec778df2faa455daf5d2c5e20f5198e2
SHA1 44adb4d80e7728dc35617ed3801b528b720698c4
SHA256 8005a9aacc2b47a064d5e1d18d7ca5d1b28cc19b49dec0a888ede1cc970d4395
SHA512 cb0c484ba1237fd49ecdaabd865d2034bed200b37913cbe891ad3b6a27ae4ad6dbdb8d3db7ad46fbd68e5ca0d4cb4af9d7f528309ad356477abcc230b357b502

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll

MD5 a6b653293267cc2a2c7137f6b1e82d85
SHA1 a86d19b1385fdd822dda8081fcfb511cc96b7871
SHA256 2240e5ca17355e2ccb3915f6ed905af4346e9a0cb5174f840faec1b5aa5ffa87
SHA512 85039b9f79eab0343067620dfe1a7581476e55a8a78ba9db656bbfc4f28d9bb69832180fcee44ff4918059dcf21db460386c2d2f131a29ecb1157a265e641f55

memory/2156-2462-0x0000000000410000-0x0000000000444000-memory.dmp

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll

MD5 a762b54e2fedd949efc9f0e73326ed97
SHA1 379d03aab3558b49c53de54eff46b41c4334cba5
SHA256 28d2dc3fe8a66f1937ce722766c8f5416d8b282bb3f53affeaa2b05fbdfd6c27
SHA512 78d865d762ed560670acaac9f7cbb760865335b3cad7fcbb9db23784cd3fc57051ec27c658f266d90257b166529bfea1deb7d8507c38a8c3cbfbf2792a9964df

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll

MD5 b53255ccd3a0174b6f14fbdfe1b3b3c4
SHA1 5bf6460a14c61e89eb37361ba93f227074f5e4e0
SHA256 18e97911fbc619d31a95e58a2511a4b14d75c58cf0a22757e0f44f18f1b9248e
SHA512 29deb6d6ff70042b0a2a1d7552b037390c194a38d115d9bf4b1f8f7979ba393ab88c62fd47214d68646a749028173943082671a81b92ecafe1285c479d62982a

memory/2156-2485-0x0000000000410000-0x0000000000434000-memory.dmp

\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll

MD5 0fa7b2f79527f58b40c6e6a773d8ad97
SHA1 8c4d24b466e86736bc325b5d096f6588060b85a3
SHA256 220e32d68f36fc09e73c8e0302541967ecd15976c62f472481a1fc24892f96d1
SHA512 d49f4870c59bb419c7033f50314a8b46f9e08d6fb6b72a63910fd8e5695b6233ea2a132940907d66bc5a98ebc14248d08be35d167139fedf72e902013a9dce07

memory/2156-2486-0x0000000002300000-0x0000000002411000-memory.dmp

memory/2156-2491-0x000000006DD00000-0x000000006DD0D000-memory.dmp

memory/2156-2490-0x000000006A300000-0x000000006A323000-memory.dmp

memory/2156-2489-0x00000000685C0000-0x00000000686C6000-memory.dmp

memory/2156-2488-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files (x86)\Dia\locale\ja\LC_MESSAGES\dia.mo

MD5 2fb460a8a948fc6478ebf4e9e2c24163
SHA1 cbe7bbd206039820bc459b0d211264f328a37207
SHA256 1116fa099fd52a30099b01cce44cd24747eb565722815b003cb2cb3910b943c0
SHA512 5c132bc07ffe0c6954f29ca5c9447a96b35a20addb8ed7f1aa4cbcaf077ed9105a58758b49a21cf339175669f526767afd38ba7db6bf7f17d7f189a003cf0b43

C:\Program Files (x86)\Dia\share\locale\da\LC_MESSAGES\glib20.mo

MD5 27563cfa1d0d54d358bd621b4b2d71dd
SHA1 f8a704a0bed7407634d8d9347b5e7edfbf081460
SHA256 c67bff3405528f2daaf7ec10dfc4d95766326b44c39ca0b22d6d6666e9e1b103
SHA512 cb2097cf0b4935c406789c349d52bc17c885042d43ee3f084e70933ea531c2f885d817284569cd64f920c6f44e62fad2f040692022968e4585d57ed7f6410960

C:\Program Files (x86)\Dia\share\locale\el\LC_MESSAGES\gtk20-properties.mo

MD5 8cd537c1d83b8ab58d6f421b56833e6d
SHA1 f22df4559e1c6d5793db6cb7bcd4ac9459b3de63
SHA256 fef8013bc9494a22c7d06dfd9975308f1ea2e62054eaa14cd0e568c42bc2b309
SHA512 3a8ad64739952a21f86a88ced51fe8ff598e2e9a7bada3f7ccc223a6a7580a82b588e76456ea2d36af73f264d6c87ef715e6aca085415f14ec60488bbb49b4dc

C:\Program Files (x86)\Dia\share\locale\eu\LC_MESSAGES\gtk20-properties.mo

MD5 ce88da280f2cbb87b977839ece9f0a38
SHA1 5788bf9043d9308992da1b296ba2ab43b435766b
SHA256 b66a2dfc04193aa54e79bd6f981ba895f35d851e66eacca8fffede391712f1bd
SHA512 656449807e5093ef79834013d2e292e3ade64869b72a09949bedc73765c6951e2f32a33d06349cf9124f252d4a852ac16ca51ed4f4d382acd272ef99e134200a

C:\Program Files (x86)\Dia\share\locale\gl\LC_MESSAGES\gtk20.mo

MD5 b76be150f5aa94ac070dbf03460dfa79
SHA1 56aa41644c1a11a55163e5d00c461ac304823f65
SHA256 68505c7dc0a89584b12a9e15b17e0bd370b30868f5184d18e10f4d0713c51481
SHA512 67f2343e3687793a404ff875c07a4e469940bcf01881a6e566dbd2e0f9c0f3945a5112af90dcdb1422a24b396570ce67c37cee8ee58f2796366f6878a40bcfb7

C:\Program Files (x86)\Dia\share\locale\lt\LC_MESSAGES\gtk20.mo

MD5 037b1adba1507f1374252c07430e4443
SHA1 922090038a62bdcf1a3db6a2f24e133cac4e4e54
SHA256 96993b3288f70c8ed703be11966dd7df8d5a9ee7c026fd4aa26864ed08745535
SHA512 378dc7f3cd0781c91a7bf7d9d6a5b671c6a7fa68fe136a85849dd65e0e5b344a9d155a8f54e5d2102a01dcf9a84dc56db90b7ed6341ba86e6a763b4bf2b28235

C:\Program Files (x86)\Dia\share\locale\nb\LC_MESSAGES\gtk20.mo

MD5 3ba1afac076d1d58bb8ff84073f12402
SHA1 80d3f69b223d0f5176536ff176017dc7f37e4e85
SHA256 449c92afed408e52591423b383be83829ab99442b2f59d29720852164656035c
SHA512 fbf6e1f9460c6413fe0df67df2abb750aa29f60509c2be2023008be914185062fc9cfa481c4e6c5e4aec0e2b05b828a43f828ab8b6852bce6153cab64482b3f0

C:\Program Files (x86)\Dia\share\locale\or\LC_MESSAGES\gtk20-properties.mo

MD5 308d7044ce7d73f8a1535991811ad560
SHA1 36fc07a4c2e3ca75990973ae82f26efd5c4fa9b6
SHA256 42908285d6687d151d7a81dafb18596edf3e6d14eb2cdb21c4bda83a1a234270
SHA512 bd779a6edd580a4b53aa739d4c8382388455e0d07d11eb813a0c9c05c4c417fe0c24201d61f734b1df19b25cb6b4469d5a89be29590ab1b446b362c3b47bc978

C:\Program Files (x86)\Dia\share\locale\sr@ije\LC_MESSAGES\gtk20-properties.mo

MD5 ee2b2af69c61dd1729f1dccd771e65d1
SHA1 86b236b60ac7781d55a1bc4f1af43505e6b23d0f
SHA256 a9a2c2e7ff0371f8873eb6ddf5c4b7e3dadca980855373a134978988faa00561
SHA512 55ba28dccf7ecd8be5f7144d5d3ef5120455346bd39b7056af007c2bf44da6a88ef5100d4af4893a0774ae815fae4a50e8ef63482946e3f94334faceb5c69fd4

C:\Users\Admin\AppData\Local\Temp\nse907.tmp\ioSpecial.ini

MD5 5ca299bf0be6788d8ad6f8e495e50a5f
SHA1 5d947219b55ed2208f588d93f05c6a28a0a614fb
SHA256 0c5d476fa6426c9cab47ba7235c198977f51a6d18cc257525df2c9db302b034f
SHA512 df80f3c9c1eda21420390f9549db06b5a9b44978d650aed4c988f2474d8c0089ea37162da3e9ae53128e81bd65d4a2454938a47d2cb8d873d3beebb1eec4c20e

C:\Program Files (x86)\Dia\bin\diaw.exe

MD5 db14ee352a7193fbec1dc09250eb67cf
SHA1 b5201a6633dac057b8b454dc2b9f8ed02a01042e
SHA256 4c38562afe57192c1a715b7749a4f3eb1581c6fe52e9122b79e8ccece1e5607e
SHA512 4fe169ee431184af39dd48d9aaa4ac2778e15f177dac898846f12da3233d16e2dc23330319bde65a39c6816a6efd929b984a87a533161966988d270ae9824a2f

memory/2060-3071-0x00000000002C0000-0x00000000002F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse907.tmp\ioSpecial.ini

MD5 37ebada1d2171cc424dd9a87161f90c1
SHA1 3209cf67fe92993f376eba88d7635f8e6e03d4a8
SHA256 150cc5527725a602109521b6db66b701b5793bf953788cb955dbd87c32b29f53
SHA512 39f762b3d4b01099422f129889c8e42337a454daaeb55cec0864da33c153c65338dff184a84b0e23b2c4ab1aebb5156fc9dca3c7de25be52c75647a89165402a

memory/2060-3088-0x0000000000670000-0x00000000006F1000-memory.dmp

memory/2060-3089-0x0000000000410000-0x0000000000433000-memory.dmp

memory/2060-3087-0x0000000000590000-0x0000000000669000-memory.dmp

memory/2060-3086-0x0000000000300000-0x00000000003F5000-memory.dmp

memory/2060-3091-0x0000000000670000-0x00000000006F1000-memory.dmp

memory/2060-3093-0x00000000025F0000-0x00000000025FD000-memory.dmp

memory/2060-3092-0x0000000002570000-0x000000000257D000-memory.dmp

memory/2060-3111-0x0000000003BA0000-0x0000000003BCC000-memory.dmp

memory/2060-3110-0x0000000003B80000-0x0000000003B8D000-memory.dmp

memory/2060-3108-0x0000000003B30000-0x0000000003B5D000-memory.dmp

memory/2060-3107-0x0000000003AF0000-0x0000000003B26000-memory.dmp

memory/2060-3106-0x0000000003A80000-0x0000000003ADE000-memory.dmp

memory/2060-3104-0x0000000003A40000-0x0000000003A50000-memory.dmp

memory/2060-3103-0x0000000003A10000-0x0000000003A1B000-memory.dmp

memory/2060-3102-0x00000000039D0000-0x00000000039EE000-memory.dmp

memory/2060-3101-0x00000000039C0000-0x00000000039CA000-memory.dmp

memory/2060-3100-0x00000000039B0000-0x00000000039BC000-memory.dmp

memory/2060-3099-0x0000000003990000-0x000000000399B000-memory.dmp

memory/2060-3098-0x0000000003970000-0x000000000397D000-memory.dmp

memory/2060-3097-0x0000000003950000-0x000000000395C000-memory.dmp

memory/2060-3096-0x0000000002630000-0x000000000263B000-memory.dmp

memory/2060-3095-0x0000000002620000-0x000000000262A000-memory.dmp

memory/2060-3094-0x0000000002610000-0x0000000002620000-memory.dmp

memory/2060-3112-0x0000000061780000-0x0000000061B3B000-memory.dmp

memory/2060-3119-0x0000000062E80000-0x0000000062E9F000-memory.dmp

memory/2060-3134-0x00000000039D0000-0x00000000039EE000-memory.dmp

memory/2060-3133-0x0000000062D40000-0x0000000062D54000-memory.dmp

memory/2060-3132-0x0000000000410000-0x0000000000433000-memory.dmp

memory/2060-3131-0x0000000062940000-0x0000000062960000-memory.dmp

memory/2060-3130-0x000000006B280000-0x000000006B296000-memory.dmp

memory/2060-3129-0x000000006D700000-0x000000006D7B6000-memory.dmp

memory/2060-3128-0x000000006D4C0000-0x000000006D4D4000-memory.dmp

memory/2060-3127-0x0000000065580000-0x00000000655C2000-memory.dmp

memory/2060-3126-0x0000000065C40000-0x0000000065C4E000-memory.dmp

memory/2060-3125-0x0000000063A40000-0x0000000063A85000-memory.dmp

memory/2060-3124-0x000000006DD00000-0x000000006DD0D000-memory.dmp

memory/2060-3123-0x00000000685C0000-0x00000000686C6000-memory.dmp

memory/2060-3122-0x000000006D580000-0x000000006D651000-memory.dmp

memory/2060-3121-0x000000006A300000-0x000000006A323000-memory.dmp

memory/2060-3120-0x0000000065340000-0x0000000065377000-memory.dmp

memory/2060-3118-0x00000000002C0000-0x00000000002F4000-memory.dmp

memory/2060-3117-0x000000006A800000-0x000000006A879000-memory.dmp

memory/2060-3116-0x0000000068F40000-0x0000000068F63000-memory.dmp

memory/2060-3115-0x0000000064F80000-0x0000000064FC2000-memory.dmp

memory/2060-3114-0x0000000068DC0000-0x0000000068ED1000-memory.dmp

memory/2060-3113-0x000000006C340000-0x000000006C3F3000-memory.dmp

memory/2060-3137-0x0000000068DC0000-0x0000000068ED1000-memory.dmp

memory/2060-3136-0x000000006C340000-0x000000006C3F3000-memory.dmp

memory/2060-3296-0x0000000000670000-0x00000000006F1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20241010-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.chm

Network

N/A

Files

memory/2136-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 aa09e122ec07d6008196e362bd24ed6a
SHA1 b9fb3af6b128bc6b9f53c52dbdbfab7ae280674e
SHA256 f18ab5f521347ceef2771a74f8eea253102fe73d76deac97706bf37b2fdcab54
SHA512 d5be02684745c46c25550ef86e01068bdb7b1b23042ee73c69bc6c1e37a15336e0c5ae15bdb219ae1eb95d0e436b18cdc48651d76df72a5e7558f446c5590678

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240708-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4348 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4348 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4348 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A
N/A N/A C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Dia\shapes\Cisco\100baset_hub.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\en_GB\LC_MESSAGES\gtk20-properties.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Assorted\arrow-right-notched.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\sheets\GRAFCET\etapesp.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\lib\locale\ja\LC_MESSAGES\atk10.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Contact\l_outr.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\adm.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\stb.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\Civil\civil_gas_bottle.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\ChemEng\aircooler.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\flowchart\transmittape.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\web_cluster.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\macintosh.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\satellite.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\jigsaw\part_oiio.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\SDL\inout.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\bin\libgio-2.0-0.dll C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\front_end_processor.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Civil\civil_gas_bottle.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\network\telephone.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Pneumatic\compush.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\mac_woman.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\small_business.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\samples\self\umlclass.dia C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\dia\grafcet.dll C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\firewall_horizontal.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\ip.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\network\patch-panel.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\locale\ca\LC_MESSAGES\dia.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\zh_TW\LC_MESSAGES\gtk20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Assorted\cross-maltese.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\ChemEng\measure.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\bbs.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\channelized_pipe.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\wi-fi_tag.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Lights\Stroboscope.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\MSE\node_center.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\lib\locale\wa\LC_MESSAGES\atk10.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\BPMN\Activity-Looping.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\ChemEng\traycol.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\workgroup_switch.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\Civil\civil_final-settling_basin.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cybernetics\sum.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\flowchart\extract.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Lights\PAR_floor.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\network\sceadplug.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\BPMN\End-Event-Multiple.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\locale\am\LC_MESSAGES\dia.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\ko\LC_MESSAGES\gtk20.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\share\locale\sr@latin\LC_MESSAGES\gtk20-properties.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\sheets\GRAFCET\etapeme.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\hootphone.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Contact\l_out.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\dia\pixbuf.dll C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File opened for modification C:\Program Files (x86)\Dia\shapes\jigsaw\part_oioi.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Map\Isometric\Block2.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cybernetics\b-sens.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cisco\softphone.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Civil\civil_container.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Contact\l_out.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\Cybernetics\r-integrator.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\jigsaw\part_oiio.png C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\shapes\network\zip-disk.shape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
File created C:\Program Files (x86)\Dia\lib\locale\bn_IN\LC_MESSAGES\atk10.mo C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dia C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\ = "diaFile" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t fig \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon\ = "C:\\Program Files (x86)\\Dia\\etc\\dia-diagram.ico,0" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t mp \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wmf \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t eps \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\ = "Create PNG image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t png \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\dia-win-remote.exe\" diaw.exe --integrated \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\ = "Create SVG image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t wpg \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\EditFlags = 00000100 C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t cgm \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createsvg\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t svg \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\ = "diaFile" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\ = "Create CGM image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createpng\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf\ = "Create Windows Meta File" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dia\Content Type = "application/dia" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\ = "Create EPS file" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t tex \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwmf C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createtex\ = "Create TeX PSTricks macros" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg\ = "Create WPG image" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createfig\ = "Create XFig drawing" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t dxf \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\ = "Create HPGL file" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createdxf\ = "Create DXF drawing" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createcgm\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t shape \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createwpg C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\open\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createeps\command C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createhpgl\command\ = "\"C:\\Program Files (x86)\\Dia\\bin\\diaw.exe\" -t hpgl \"%1\"" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createmp\ = "Create TeX Metapost macros" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\diaFile\Shell\createshape\ = "Create dia shape" C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe

"C:\Users\Admin\AppData\Local\Temp\dia-setup-0.97.2-2-unsigned (1).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat"

C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe

.\gdk-pixbuf-query-loaders.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini

MD5 2fcb5aed6058c147d1ffa6530e0f6426
SHA1 d6e7093e4150cca1587e95637f16e4de12326cda
SHA256 ef03bef0fb1a6dd278705a2dcf5bee2302c796082438bd586cf4b304530a56f6
SHA512 9f6bc17a63e8d9f81313bb2fc28e9b9865a554c94b69f2314fd51f408386f0e1a7ca382a38f82c633f64334f0e70c820a170f63085f6703ad92bdda25a6f72cd

C:\Program Files (x86)\Dia\shapes\Electric\contact_f.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Dia\shapes\Electric\lamp.png

MD5 a236ce7bcce07956cb91b9fd735db8e3
SHA1 559c86d1ae243c0a6778bf68a23b786ad693713b
SHA256 c1349cda9b4c30345ea0b1afa2b45f9be0467b0a9e253c6d1cc57613d1a32bbe
SHA512 7e3c48d81f6f99b8d7e12e7e63ea21fe1751a0ff2db34da159fe93244724983df0c3adc79136a67efe779f9975b9c163ba59ebf4366b6999956f81689a177b2e

C:\Program Files (x86)\Dia\shapes\Pneumatic\cnx.png

MD5 a46b4391b54836f4eb77d13a3dc1b6fd
SHA1 7287b898fcf189eccb3657eb80e66f3cc496b501
SHA256 e25947afe63d6c7297934995d5d19315e7dea452804e4dd20f1c0f803693851d
SHA512 ae54933dc85794ad25fc4934586a6e563fb3b1175955c0c0fdf01b870ce01b122599651f299fd01074dba628f09dd82b1c1b70964c576a9f6a10179abe399cdb

C:\Program Files (x86)\Dia\bin\libtiff3.dll

MD5 cfd09d054747280ed660ef7d79d0d443
SHA1 a27dd167551e19ac15adb035608a3ed6a94c15de
SHA256 373a9d90cc37a365e0e22c3efe35f14924f33ff6d778ddccb1603093468abf25
SHA512 b477f033784ceb084a2a383af784937a28b823e550d53e6bc90516f33e3521aeb54416796f6188c72e7a407ebd61673bd09956c50bd5eda8056065099d6417aa

C:\Program Files (x86)\Dia\bin\libxml2.dll

MD5 7ee993251d55a2eab74340d27ff82260
SHA1 15975f2aaf1dab31a7b22af068b531d806bf337e
SHA256 20e6d1109016042147a058f5ec45f0bcd58c290a89380e4d9ec467e98f0d99ca
SHA512 b9c1bf31272dda582ec05d4bd7dd4575962d4c7ac13867785104866cd42b481320368fd9a7a36ae2ebea38edc726e48ceeaa3d33bd70020fbff9afa64d561f05

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.bat

MD5 79f54de0035d4e7431f3ca60a907f0a1
SHA1 bc273d1ea3227a445b86458cc335a72e3221ac85
SHA256 9f040e3e3241fc600cbe21bd72eaec40a455a99f02d8829a801683037907e3cc
SHA512 5c03fcd4c6a65dbdfd707776450946051e2fe3b3df99b4d033515751b2e2062253bb4c208d07c1bfaf70c733c874dcc5c1e1517acb0a0a42f370c1d0608e193d

C:\Program Files (x86)\Dia\bin\gdk-pixbuf-query-loaders.exe

MD5 5792bf1e8e2ebc1f00bbd6cbd19dad06
SHA1 f679aa2befee24305fc1fae7b42bfce7b81c6ad8
SHA256 58d880f065930a7a90ffb3a2cd964ab3b02c9a858fe5da880e152a2e1e9bc956
SHA512 bed5097a2adae3d3772203825ff62dfe2dd57dfc854837647fd61b83153420ebe44d45b7fdb9a24820ebeae5ba0c499012f0ae064ee5b54ed73e5a7d41431c3a

C:\Program Files (x86)\Dia\bin\libglib-2.0-0.dll

MD5 18e88b04da123bf05b07ff60a4e96654
SHA1 f46cd8411e579da9f31749809a5707fecb28b7db
SHA256 c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde
SHA512 735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

C:\Program Files (x86)\Dia\bin\libgmodule-2.0-0.dll

MD5 b0b2396fc6413016a45a5e8ca2ea8152
SHA1 d9d2311d1619c1f51b406fee1a17529d3de21124
SHA256 1e2332ed84bb447fe814e9201effe88e682fd9b2da89e2b1a27aef1c786b6589
SHA512 496c8d905a481c3bcacee2a54e0a27cb8605a62d36668dbb61dbb4e23fecb83efe92c4cbb16df0b7276f8938cb66879dddff03c4fca50ca5dd504814982041c8

C:\Program Files (x86)\Dia\bin\intl.dll

MD5 eb2d4c4d4a527bc88a69a16cc99afcf5
SHA1 b326ec4919e1ec9595c064b24853b1e6b71530a3
SHA256 682d4277092472cac940558f9e679b44a6394159e49c9bbda299e33bfc6fdc92
SHA512 009f31cd68a87a40aef4be07af805ab50fac03f4c621144b170d9d3313b1b6a73415f6dd878b048f85afc1b662659a88e4cc89e9a8c76f631f6f1b79d57fd0b0

memory/1124-2501-0x000000006A300000-0x000000006A323000-memory.dmp

memory/1124-2500-0x00000000685C0000-0x00000000686C6000-memory.dmp

memory/1124-2499-0x000000006DD00000-0x000000006DD0D000-memory.dmp

memory/1124-2498-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1124-2496-0x00000000028C0000-0x00000000029D1000-memory.dmp

memory/1124-2495-0x00000000027E0000-0x00000000028B9000-memory.dmp

memory/1124-2494-0x00000000027E0000-0x0000000002804000-memory.dmp

C:\Program Files (x86)\Dia\bin\libgdk_pixbuf-2.0-0.dll

MD5 e4c64b0e7e4c6606f3973a16c0c1ee84
SHA1 0e369ad075b58c09e7c17796797993d67d5a12de
SHA256 c8ff2373d4c261fcd6525a826dbc736d347ae10168490a7a7fc837e76329afc1
SHA512 4fecda9d9f7f3b6316026d8cd507fae32556c40bed27d1fa8c3e7ba4a247ed9a41ad8dd2ee817a1e76afa3788f2484db8227f53148db2f54f7ba53284bb35377

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll

MD5 b53255ccd3a0174b6f14fbdfe1b3b3c4
SHA1 5bf6460a14c61e89eb37361ba93f227074f5e4e0
SHA256 18e97911fbc619d31a95e58a2511a4b14d75c58cf0a22757e0f44f18f1b9248e
SHA512 29deb6d6ff70042b0a2a1d7552b037390c194a38d115d9bf4b1f8f7979ba393ab88c62fd47214d68646a749028173943082671a81b92ecafe1285c479d62982a

C:\Program Files (x86)\Dia\bin\zlib1.dll

MD5 d90dad5eea33a178bac56fff2847d4c2
SHA1 cbbce727fd8447487c7fc68051b24df17d043649
SHA256 104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf
SHA512 8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb

C:\Program Files (x86)\Dia\bin\libgthread-2.0-0.dll

MD5 7ad6f303082b382bff7bafbab246c61f
SHA1 8d94c4d4b0633a80e28504a3c694dd2bae252854
SHA256 ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3
SHA512 eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598

C:\Program Files (x86)\Dia\bin\libpng14-14.dll

MD5 ec778df2faa455daf5d2c5e20f5198e2
SHA1 44adb4d80e7728dc35617ed3801b528b720698c4
SHA256 8005a9aacc2b47a064d5e1d18d7ca5d1b28cc19b49dec0a888ede1cc970d4395
SHA512 cb0c484ba1237fd49ecdaabd865d2034bed200b37913cbe891ad3b6a27ae4ad6dbdb8d3db7ad46fbd68e5ca0d4cb4af9d7f528309ad356477abcc230b357b502

C:\Program Files (x86)\Dia\bin\libgio-2.0-0.dll

MD5 ea1263fb4c2230284f3e30c446bfea6b
SHA1 8118780cf010f3bc1eb2323cb6c2bef4a548ef65
SHA256 433d3c2f00fda700fc6353e1af600937a42407b6f2467aa41bd825e96a79c464
SHA512 48784c89389440c1cacea3d7b70e5a0663474fadf634209cc1c3a8065a2b8aa2884d0ca224e784b693501db436a171b4e0660a051371fe66d1e5cb00a8e296ef

C:\Program Files (x86)\Dia\bin\libgobject-2.0-0.dll

MD5 356d697647a480562c4e2e921b13f8ed
SHA1 1218243c9b4e8e6fabcc5f2eac1adb78002b01c2
SHA256 75b4e8a0757f7db26ef195f3c5e2da5770d95c3af081c2cdae0ec15b460aa9ea
SHA512 4ef4ad1648f508cb3ad5ab446196d351219a28083df096353a343b81a6d699691bb8a77158a6085d00d4c9eae408a0193dac7e3b806156d62bb6ee552dc8095a

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-icns.dll

MD5 0fa7b2f79527f58b40c6e6a773d8ad97
SHA1 8c4d24b466e86736bc325b5d096f6588060b85a3
SHA256 220e32d68f36fc09e73c8e0302541967ecd15976c62f472481a1fc24892f96d1
SHA512 d49f4870c59bb419c7033f50314a8b46f9e08d6fb6b72a63910fd8e5695b6233ea2a132940907d66bc5a98ebc14248d08be35d167139fedf72e902013a9dce07

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-gif.dll

MD5 a762b54e2fedd949efc9f0e73326ed97
SHA1 379d03aab3558b49c53de54eff46b41c4334cba5
SHA256 28d2dc3fe8a66f1937ce722766c8f5416d8b282bb3f53affeaa2b05fbdfd6c27
SHA512 78d865d762ed560670acaac9f7cbb760865335b3cad7fcbb9db23784cd3fc57051ec27c658f266d90257b166529bfea1deb7d8507c38a8c3cbfbf2792a9964df

memory/1124-2474-0x00000000027E0000-0x0000000002814000-memory.dmp

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-bmp.dll

MD5 a6b653293267cc2a2c7137f6b1e82d85
SHA1 a86d19b1385fdd822dda8081fcfb511cc96b7871
SHA256 2240e5ca17355e2ccb3915f6ed905af4346e9a0cb5174f840faec1b5aa5ffa87
SHA512 85039b9f79eab0343067620dfe1a7581476e55a8a78ba9db656bbfc4f28d9bb69832180fcee44ff4918059dcf21db460386c2d2f131a29ecb1157a265e641f55

C:\Program Files (x86)\Dia\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll

MD5 ad674e2d99f06c4f81491b287d454400
SHA1 538b92c8850deb9c1a348f713671221daef58b47
SHA256 a0b7226efb9dfce34a7c90f0e91c8b31555c9bbd58c19ac8c761598233fd462e
SHA512 ddd902d5f5a57e6cde20f18645f4f8a81ca81ea7a3f76b51a98303b2415bdddbe37a5cb6cf21becff71d2f359a5de0804336b130be45b7b32ede0b7057737e88

C:\Program Files (x86)\Dia\locale\ja\LC_MESSAGES\dia.mo

MD5 2fb460a8a948fc6478ebf4e9e2c24163
SHA1 cbe7bbd206039820bc459b0d211264f328a37207
SHA256 1116fa099fd52a30099b01cce44cd24747eb565722815b003cb2cb3910b943c0
SHA512 5c132bc07ffe0c6954f29ca5c9447a96b35a20addb8ed7f1aa4cbcaf077ed9105a58758b49a21cf339175669f526767afd38ba7db6bf7f17d7f189a003cf0b43

C:\Program Files (x86)\Dia\share\locale\da\LC_MESSAGES\glib20.mo

MD5 27563cfa1d0d54d358bd621b4b2d71dd
SHA1 f8a704a0bed7407634d8d9347b5e7edfbf081460
SHA256 c67bff3405528f2daaf7ec10dfc4d95766326b44c39ca0b22d6d6666e9e1b103
SHA512 cb2097cf0b4935c406789c349d52bc17c885042d43ee3f084e70933ea531c2f885d817284569cd64f920c6f44e62fad2f040692022968e4585d57ed7f6410960

C:\Program Files (x86)\Dia\share\locale\el\LC_MESSAGES\gtk20-properties.mo

MD5 8cd537c1d83b8ab58d6f421b56833e6d
SHA1 f22df4559e1c6d5793db6cb7bcd4ac9459b3de63
SHA256 fef8013bc9494a22c7d06dfd9975308f1ea2e62054eaa14cd0e568c42bc2b309
SHA512 3a8ad64739952a21f86a88ced51fe8ff598e2e9a7bada3f7ccc223a6a7580a82b588e76456ea2d36af73f264d6c87ef715e6aca085415f14ec60488bbb49b4dc

C:\Program Files (x86)\Dia\share\locale\eu\LC_MESSAGES\gtk20-properties.mo

MD5 ce88da280f2cbb87b977839ece9f0a38
SHA1 5788bf9043d9308992da1b296ba2ab43b435766b
SHA256 b66a2dfc04193aa54e79bd6f981ba895f35d851e66eacca8fffede391712f1bd
SHA512 656449807e5093ef79834013d2e292e3ade64869b72a09949bedc73765c6951e2f32a33d06349cf9124f252d4a852ac16ca51ed4f4d382acd272ef99e134200a

C:\Program Files (x86)\Dia\share\locale\gl\LC_MESSAGES\gtk20.mo

MD5 b76be150f5aa94ac070dbf03460dfa79
SHA1 56aa41644c1a11a55163e5d00c461ac304823f65
SHA256 68505c7dc0a89584b12a9e15b17e0bd370b30868f5184d18e10f4d0713c51481
SHA512 67f2343e3687793a404ff875c07a4e469940bcf01881a6e566dbd2e0f9c0f3945a5112af90dcdb1422a24b396570ce67c37cee8ee58f2796366f6878a40bcfb7

C:\Program Files (x86)\Dia\share\locale\lt\LC_MESSAGES\gtk20.mo

MD5 037b1adba1507f1374252c07430e4443
SHA1 922090038a62bdcf1a3db6a2f24e133cac4e4e54
SHA256 96993b3288f70c8ed703be11966dd7df8d5a9ee7c026fd4aa26864ed08745535
SHA512 378dc7f3cd0781c91a7bf7d9d6a5b671c6a7fa68fe136a85849dd65e0e5b344a9d155a8f54e5d2102a01dcf9a84dc56db90b7ed6341ba86e6a763b4bf2b28235

C:\Program Files (x86)\Dia\share\locale\nb\LC_MESSAGES\gtk20.mo

MD5 3ba1afac076d1d58bb8ff84073f12402
SHA1 80d3f69b223d0f5176536ff176017dc7f37e4e85
SHA256 449c92afed408e52591423b383be83829ab99442b2f59d29720852164656035c
SHA512 fbf6e1f9460c6413fe0df67df2abb750aa29f60509c2be2023008be914185062fc9cfa481c4e6c5e4aec0e2b05b828a43f828ab8b6852bce6153cab64482b3f0

C:\Program Files (x86)\Dia\share\locale\or\LC_MESSAGES\gtk20-properties.mo

MD5 308d7044ce7d73f8a1535991811ad560
SHA1 36fc07a4c2e3ca75990973ae82f26efd5c4fa9b6
SHA256 42908285d6687d151d7a81dafb18596edf3e6d14eb2cdb21c4bda83a1a234270
SHA512 bd779a6edd580a4b53aa739d4c8382388455e0d07d11eb813a0c9c05c4c417fe0c24201d61f734b1df19b25cb6b4469d5a89be29590ab1b446b362c3b47bc978

C:\Program Files (x86)\Dia\share\locale\sr@ije\LC_MESSAGES\gtk20-properties.mo

MD5 ee2b2af69c61dd1729f1dccd771e65d1
SHA1 86b236b60ac7781d55a1bc4f1af43505e6b23d0f
SHA256 a9a2c2e7ff0371f8873eb6ddf5c4b7e3dadca980855373a134978988faa00561
SHA512 55ba28dccf7ecd8be5f7144d5d3ef5120455346bd39b7056af007c2bf44da6a88ef5100d4af4893a0774ae815fae4a50e8ef63482946e3f94334faceb5c69fd4

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini

MD5 decafd20f184dc35922fca9acc6574e2
SHA1 03caafbe55de91e329a5fd596147e90df5ef818c
SHA256 256f928ebed0ec9bf80e6720c7315a788b836db0ca5badfc2323eed58dac8b25
SHA512 222e653dce54585ca4c79861c39cd721977af9873ddf4d2954d27319e139282fd81dbfae84b55af018259bdbd0496021487e6567654c4a3ec60f98284158a461

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini

MD5 ccc7336f3c63b09d4a1e0804b5b52cb2
SHA1 b1a74973a687146cb81f041b1941c8d11cc32fb8
SHA256 57d5c3e22d9dd531b787963f6b2fe55dd7801c5bf358154d83d9385b1c1a2db4
SHA512 ef196c7c8fd3a5c1338a78eb1f0a79ac96bfa5aa59bfd9d7b4725cb6f0b68821b43cfe505f53ae1e16c71dd58f5c2888ac2de0624e5188277f11b7e7dd0841c7

C:\Users\Admin\AppData\Local\Temp\nsz7754.tmp\ioSpecial.ini

MD5 82334bfdc1dd009682eeca586bb7a59c
SHA1 0503336ef1f205fef385924c77893e7a990af5a5
SHA256 84997eb2bb479c7897cf2fed208a8f75cbb5359ad49e9667f0f0451a9897472b
SHA512 48ca5b8680c5b7d8a1ae565bf38114af74334c64a92e6dd98f068021375a4947342d3a98630ef0e108a8b41c2676b32f5a860e49c03d360d45727857700166ac

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.chm

Network

N/A

Files

memory/2764-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\eu\dia-manual.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 04b900db92900d79eae95916d0b2f8d5
SHA1 018ba675cd10ed5152af295e856dce8169de5c61
SHA256 28c797dbc5784176fae617213e85bc2116a3ae3cea7ab4916d64f96f57a275b3
SHA512 f098603187401dc640d0f16ef6079dd66582f08d098603766e4b66d9f0e60bd664d7effce9a67b875a488c4ee3fad572057707b9bbcaeaf1ba7aada0ca21ad81

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

150s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.pdf"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 4632 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 4632 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 4632 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 4208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4632 wrote to memory of 1760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\help\fr\dia-manual.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8EC858C2DFE1706D9A4A488D26FBA04 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E9C1E6E30AFACF6C9CF95510F1E5E116 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E9C1E6E30AFACF6C9CF95510F1E5E116 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C0EF5F1F37C973609E671FE4B3C65C0A --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=57D815A29F8ADA3E98A37C3C7BA3B231 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AF7EE88D35D9E6A7A979B00EB3CEE45A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AF7EE88D35D9E6A7A979B00EB3CEE45A --renderer-client-id=6 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F8682CBD9B599CE464FDD940F9EC2CB --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 204.20.192.23.in-addr.arpa udp
US 8.8.8.8:53 71.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 8c629d66b264ee4d61cd815b3236c086
SHA1 81ffd2608d8b468da37c4587bfdaee9885d3f88f
SHA256 1e494737c20c61e11962426ace6884de7f3bc7c5dca48aa5ee13d0abc89cb91c
SHA512 f52dde9d4cbb40518b23d8f94778b12e9cf258500d546fb9ddb4badfe716c3e536773ceb97350009495575f6d2799cf1c871b212c96a70e74b7ec71b52f466d3

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

152s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\help\pl\dia-manual.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

120s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\imgmap.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\imgmap.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\imgmap.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\imgmap.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a24caf26cd88342840c5d1addf6d8498
SHA1 0f588fd1b686c000cb6a1bda50428c816a877372
SHA256 1e959cc8bee18be18ca0e9cc08d2ef91f5989d122229d6d893acd756ba64320c
SHA512 4c520872c3a06353af53f0c49f09113338861b287712e41d0725c6843ba14963ce004e150ca165b7de3de62aa3fbf1ff659a7107eac7f95c10c0ddd7a9725ec1

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-pcx.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ani.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-ico.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-09 22:03

Reported

2024-11-09 22:06

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\imgmap.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\imgmap.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

N/A