Analysis

Category Package Started Completed Duration Options Log
FILE pdf 2019-10-10 05:21:55 2019-10-10 05:25:41 226 seconds Show Options Show Log
route = internet
password = 3456
procdump = 1
2019-10-10 06:21:56,015 [root] INFO: Date set to: 10-10-19, time set to: 05:21:56, timeout set to: 200
2019-10-10 06:21:56,015 [root] DEBUG: Starting analyzer from: C:\jyguetdlo
2019-10-10 06:21:56,015 [root] DEBUG: Storing results at: C:\qjbdNd
2019-10-10 06:21:56,015 [root] DEBUG: Pipe server name: \\.\PIPE\UUwcyt
2019-10-10 06:21:56,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 06:21:56,015 [root] INFO: Automatically selected analysis package "pdf"
2019-10-10 06:21:56,342 [root] DEBUG: Started auxiliary module Browser
2019-10-10 06:21:56,342 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 06:21:56,342 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 06:21:56,654 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-10 06:21:56,654 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 06:21:56,670 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 06:21:56,670 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 06:21:56,670 [root] DEBUG: Started auxiliary module Human
2019-10-10 06:21:56,670 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 06:21:56,670 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 06:21:56,670 [root] DEBUG: Started auxiliary module Usage
2019-10-10 06:21:56,670 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a DLL option
2019-10-10 06:21:56,670 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a DLL_64 option
2019-10-10 06:21:56,717 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\1m2Smart.pdf"" with pid 1332
2019-10-10 06:21:56,717 [lib.api.process] INFO: Option 'password' with value '3456' sent to monitor
2019-10-10 06:21:56,717 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 06:21:56,717 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\noVaUP.dll, loader C:\jyguetdlo\bin\PTZHRkH.exe
2019-10-10 06:21:56,733 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UUwcyt.
2019-10-10 06:21:56,747 [root] DEBUG: Loader: Injecting process 1332 (thread 1860) with C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:21:56,747 [root] DEBUG: Process image base: 0x00210000
2019-10-10 06:21:56,747 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:21:56,763 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00264000 - 0x002C0000
2019-10-10 06:21:56,763 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x00270000.
2019-10-10 06:21:56,763 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 06:21:56,763 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:21:56,763 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1332
2019-10-10 06:21:58,776 [lib.api.process] INFO: Successfully resumed process with pid 1332
2019-10-10 06:21:58,776 [root] INFO: Added new process to list with pid: 1332
2019-10-10 06:21:58,854 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 06:21:58,854 [root] DEBUG: CAPE debug - unrecognised key password.
2019-10-10 06:21:58,854 [root] DEBUG: Process dumps enabled.
2019-10-10 06:21:58,901 [root] INFO: Disabling sleep skipping.
2019-10-10 06:21:58,901 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 06:21:58,901 [root] INFO: Disabling sleep skipping.
2019-10-10 06:21:58,901 [root] INFO: Disabling sleep skipping.
2019-10-10 06:21:58,901 [root] INFO: Disabling sleep skipping.
2019-10-10 06:21:58,901 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1332 at 0x747e0000, image base 0x210000, stack from 0x206000-0x210000
2019-10-10 06:21:58,901 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\1m2Smart.pdf".
2019-10-10 06:21:58,901 [root] INFO: Monitor successfully loaded in process with pid 1332.
2019-10-10 06:21:58,931 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:21:58,947 [root] DEBUG: DLL loaded at 0x726C0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32 (0x1324000 bytes).
2019-10-10 06:21:58,963 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-10 06:21:58,994 [root] DEBUG: DLL loaded at 0x73F00000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM (0x59d000 bytes).
2019-10-10 06:21:59,026 [root] DEBUG: DLL loaded at 0x73CA0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType (0x25f000 bytes).
2019-10-10 06:21:59,026 [root] DEBUG: DLL loaded at 0x73B00000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32 (0x19e000 bytes).
2019-10-10 06:21:59,104 [root] DEBUG: set_caller_info: Adding region at 0x00110000 to caller regions list (kernel32::GetSystemInfo).
2019-10-10 06:21:59,104 [root] DEBUG: DLL loaded at 0x72680000: C:\Windows\system32\WINMM (0x32000 bytes).
2019-10-10 06:21:59,119 [root] DEBUG: DLL loaded at 0x73AE0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB (0x1c000 bytes).
2019-10-10 06:21:59,134 [root] DEBUG: DLL loaded at 0x725B0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE (0xc3000 bytes).
2019-10-10 06:21:59,197 [root] DEBUG: set_caller_info: Adding region at 0x01D10000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 06:21:59,229 [root] DEBUG: DLL loaded at 0x71B30000: C:\Windows\system32\ieframe (0xa80000 bytes).
2019-10-10 06:21:59,276 [root] DEBUG: DLL loaded at 0x71AF0000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-10 06:21:59,276 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 06:21:59,276 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:21:59,322 [root] DEBUG: DLL unloaded from 0x71B30000.
2019-10-10 06:21:59,322 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:21:59,322 [root] DEBUG: set_caller_info: Adding region at 0x038E0000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 06:21:59,338 [root] DEBUG: set_caller_info: Adding region at 0x004D0000 to caller regions list (ntdll::LdrLoadDll).
2019-10-10 06:21:59,338 [root] DEBUG: DLL unloaded from 0x726C0000.
2019-10-10 06:21:59,338 [root] DEBUG: set_caller_info: Adding region at 0x00720000 to caller regions list (user32::SystemParametersInfoW).
2019-10-10 06:21:59,384 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 06:21:59,415 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 06:21:59,415 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 06:21:59,415 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 06:21:59,447 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:21:59,447 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 06:21:59,447 [root] DEBUG: DLL loaded at 0x724B0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-10 06:21:59,463 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 06:21:59,463 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 06:21:59,680 [root] DEBUG: set_caller_info: Adding region at 0x03760000 to caller regions list (advapi32::RegEnumValueA).
2019-10-10 06:21:59,759 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 06:21:59,775 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 06:21:59,775 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 06:21:59,775 [root] DEBUG: set_caller_info: Adding region at 0x006F0000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 06:21:59,775 [root] DEBUG: set_caller_info: Adding region at 0x00550000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 06:21:59,775 [root] DEBUG: set_caller_info: Adding region at 0x00700000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 06:21:59,775 [root] DEBUG: set_caller_info: Adding region at 0x002C0000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 06:21:59,775 [root] DEBUG: set_caller_info: Adding region at 0x006E0000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 06:21:59,822 [root] DEBUG: DLL loaded at 0x72430000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-10 06:21:59,836 [root] DEBUG: set_caller_info: Adding region at 0x04A30000 to caller regions list (user32::SendMessageW).
2019-10-10 06:21:59,930 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-10 06:21:59,946 [lib.api.process] INFO: Option 'password' with value '3456' sent to monitor
2019-10-10 06:21:59,946 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 06:21:59,946 [lib.api.process] INFO: 64-bit DLL to inject is C:\jyguetdlo\dll\dTlbYMa.dll, loader C:\jyguetdlo\bin\zVGilRUa.exe
2019-10-10 06:21:59,946 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UUwcyt.
2019-10-10 06:21:59,946 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\jyguetdlo\dll\dTlbYMa.dll.
2019-10-10 06:21:59,946 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 06:21:59,977 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 06:21:59,977 [root] DEBUG: CAPE debug - unrecognised key password.
2019-10-10 06:21:59,977 [root] DEBUG: Process dumps enabled.
2019-10-10 06:21:59,977 [root] INFO: Disabling sleep skipping.
2019-10-10 06:22:00,039 [root] WARNING: Unable to place hook on LockResource
2019-10-10 06:22:00,039 [root] WARNING: Unable to hook LockResource
2019-10-10 06:22:00,118 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000072350000, image base 0x00000000FF900000, stack from 0x0000000006B12000-0x0000000006B20000
2019-10-10 06:22:00,118 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-10 06:22:00,118 [root] INFO: Added new process to list with pid: 1632
2019-10-10 06:22:00,118 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-10 06:22:00,118 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 06:22:00,118 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 06:22:00,118 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\dTlbYMa.dll.
2019-10-10 06:22:00,164 [root] DEBUG: DLL loaded at 0x71EA0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api (0x4a1000 bytes).
2019-10-10 06:22:00,211 [root] DEBUG: DLL loaded at 0x71420000: C:\Windows\system32\ieframe (0xa80000 bytes).
2019-10-10 06:22:00,211 [root] DEBUG: DLL loaded at 0x713E0000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-10 06:22:00,211 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:00,226 [root] DEBUG: DLL unloaded from 0x71420000.
2019-10-10 06:22:00,226 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:00,226 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 06:22:00,226 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:22:00,226 [root] DEBUG: DLL unloaded from 0x00210000.
2019-10-10 06:22:00,257 [root] DEBUG: DLL loaded at 0x709A0000: C:\Windows\system32\ieframe (0xa80000 bytes).
2019-10-10 06:22:00,257 [root] DEBUG: DLL loaded at 0x71E60000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-10 06:22:00,257 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:00,257 [root] DEBUG: DLL unloaded from 0x709A0000.
2019-10-10 06:22:00,257 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:00,335 [root] DEBUG: DLL loaded at 0x71880000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api (0x620000 bytes).
2019-10-10 06:22:00,430 [root] DEBUG: DLL loaded at 0x70DC0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api (0xab5000 bytes).
2019-10-10 06:22:00,507 [root] DEBUG: DLL loaded at 0x70340000: C:\Windows\system32\ieframe (0xa80000 bytes).
2019-10-10 06:22:00,507 [root] DEBUG: DLL loaded at 0x70300000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-10 06:22:00,507 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:00,507 [root] DEBUG: DLL unloaded from 0x70340000.
2019-10-10 06:22:00,507 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:00,523 [root] DEBUG: DLL loaded at 0x6F8C0000: C:\Windows\system32\ieframe (0xa80000 bytes).
2019-10-10 06:22:00,523 [root] DEBUG: DLL loaded at 0x70D80000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-10 06:22:00,523 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:00,523 [root] DEBUG: DLL unloaded from 0x6F8C0000.
2019-10-10 06:22:00,523 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:00,539 [root] DEBUG: DLL loaded at 0x70C80000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api (0x136000 bytes).
2019-10-10 06:22:00,601 [root] DEBUG: DLL loaded at 0x70B10000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api (0x167000 bytes).
2019-10-10 06:22:00,664 [root] DEBUG: DLL loaded at 0x70090000: C:\Windows\system32\ieframe (0xa80000 bytes).
2019-10-10 06:22:00,664 [root] DEBUG: DLL loaded at 0x70050000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2019-10-10 06:22:00,664 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:00,664 [root] DEBUG: DLL unloaded from 0x70090000.
2019-10-10 06:22:00,664 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:00,680 [root] DEBUG: set_caller_info: Adding region at 0x05B40000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 06:22:00,851 [root] DEBUG: DLL loaded at 0x10000000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2 (0x95000 bytes).
2019-10-10 06:22:00,867 [root] DEBUG: set_caller_info: Adding region at 0x043F0000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,867 [root] DEBUG: set_caller_info: Adding region at 0x00820000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,867 [root] DEBUG: set_caller_info: Adding region at 0x00010000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,867 [root] DEBUG: set_caller_info: Adding region at 0x05210000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,898 [root] DEBUG: set_caller_info: Adding region at 0x03E00000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,898 [root] DEBUG: set_caller_info: Adding region at 0x06080000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,914 [root] DEBUG: set_caller_info: Adding region at 0x03280000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,914 [root] DEBUG: set_caller_info: Adding region at 0x00050000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:00,914 [root] DEBUG: DLL loaded at 0x03860000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base (0x76000 bytes).
2019-10-10 06:22:01,038 [root] DEBUG: DLL loaded at 0x709B0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl (0x159000 bytes).
2019-10-10 06:22:01,069 [root] DEBUG: DLL loaded at 0x709A0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-10 06:22:01,085 [root] DEBUG: DLL unloaded from 0x709B0000.
2019-10-10 06:22:01,178 [root] DEBUG: DLL loaded at 0x70960000: C:\Windows\SysWOW64\oleacc (0x3c000 bytes).
2019-10-10 06:22:01,226 [root] DEBUG: set_caller_info: Adding region at 0x05160000 to caller regions list (ntdll::NtFindAtom).
2019-10-10 06:22:01,256 [root] DEBUG: DLL loaded at 0x708C0000: C:\Windows\system32\Msftedit (0x94000 bytes).
2019-10-10 06:22:02,052 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 06:22:03,082 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 06:22:03,112 [root] DEBUG: set_caller_info: Adding region at 0x05F40000 to caller regions list (ntdll::NtCreateMutant).
2019-10-10 06:22:04,142 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 06:22:06,561 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 06:22:08,651 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 06:22:10,742 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 06:22:12,832 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 06:22:13,940 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (kernel32::FindResourceExA).
2019-10-10 06:22:15,951 [root] DEBUG: DLL loaded at 0x70880000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite (0x3a000 bytes).
2019-10-10 06:22:18,790 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:22:18,868 [root] DEBUG: set_caller_info: Adding region at 0x01CA0000 to caller regions list (ntdll::NtReadFile).
2019-10-10 06:22:19,805 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 06:22:25,499 [root] DEBUG: DLL loaded at 0x70850000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api (0x30000 bytes).
2019-10-10 06:22:25,515 [root] DEBUG: DLL loaded at 0x70830000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-10-10 06:22:26,154 [root] DEBUG: DLL loaded at 0x707A0000: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater (0x83000 bytes).
2019-10-10 06:22:26,186 [root] DEBUG: set_caller_info: Adding region at 0x04F90000 to caller regions list (kernel32::SetErrorMode).
2019-10-10 06:22:26,200 [root] DEBUG: DLL loaded at 0x6FD20000: C:\Windows\System32\ieframe (0xa80000 bytes).
2019-10-10 06:22:26,200 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:26,200 [root] DEBUG: DLL unloaded from 0x6FD20000.
2019-10-10 06:22:26,200 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:26,200 [root] DEBUG: DLL loaded at 0x6F2A0000: C:\Windows\System32\ieframe (0xa80000 bytes).
2019-10-10 06:22:26,217 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 06:22:26,217 [root] DEBUG: DLL unloaded from 0x6F2A0000.
2019-10-10 06:22:26,217 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:26,232 [root] DEBUG: DLL unloaded from 0x772C0000.
2019-10-10 06:22:26,247 [root] INFO: Announced 32-bit process name: Adobe_Updater.exe pid: 2684
2019-10-10 06:22:26,247 [lib.api.process] INFO: Option 'password' with value '3456' sent to monitor
2019-10-10 06:22:26,247 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 06:22:26,247 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\noVaUP.dll, loader C:\jyguetdlo\bin\PTZHRkH.exe
2019-10-10 06:22:26,247 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UUwcyt.
2019-10-10 06:22:26,247 [root] DEBUG: Loader: Injecting process 2684 (thread 2748) with C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:26,247 [root] DEBUG: Process image base: 0x010F0000
2019-10-10 06:22:26,247 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:26,247 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0135E000 - 0x77110000
2019-10-10 06:22:26,247 [root] DEBUG: InjectDllViaIAT: Allocated 0x290 bytes for new import table at 0x01360000.
2019-10-10 06:22:26,247 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 06:22:26,247 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:26,263 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2684
2019-10-10 06:22:26,263 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 06:22:26,279 [root] INFO: Announced 32-bit process name: Adobe_Updater.exe pid: 2684
2019-10-10 06:22:26,279 [lib.api.process] INFO: Option 'password' with value '3456' sent to monitor
2019-10-10 06:22:26,279 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 06:22:26,279 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\noVaUP.dll, loader C:\jyguetdlo\bin\PTZHRkH.exe
2019-10-10 06:22:26,295 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UUwcyt.
2019-10-10 06:22:26,295 [root] DEBUG: Loader: Injecting process 2684 (thread 2748) with C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:26,295 [root] DEBUG: Process image base: 0x010F0000
2019-10-10 06:22:26,295 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:26,295 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 06:22:26,295 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:26,295 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2684
2019-10-10 06:22:26,388 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 06:22:26,404 [root] DEBUG: CAPE debug - unrecognised key password.
2019-10-10 06:22:26,404 [root] DEBUG: Process dumps enabled.
2019-10-10 06:22:26,404 [root] INFO: Disabling sleep skipping.
2019-10-10 06:22:26,420 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 06:22:26,420 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2684 at 0x747e0000, image base 0x10f0000, stack from 0x306000-0x310000
2019-10-10 06:22:26,420 [root] DEBUG: Commandline: C:\Program Files (x86)\Common Files\Adobe\Updater6\"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US.
2019-10-10 06:22:26,420 [root] INFO: Added new process to list with pid: 2684
2019-10-10 06:22:26,420 [root] INFO: Monitor successfully loaded in process with pid 2684.
2019-10-10 06:22:26,466 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 06:22:26,482 [root] DEBUG: DLL loaded at 0x724B0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-10-10 06:22:26,497 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 06:22:26,497 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 06:22:26,497 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 06:22:26,497 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 06:22:26,497 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:22:26,497 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 06:22:26,497 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 06:22:26,513 [root] DEBUG: DLL unloaded from 0x724B0000.
2019-10-10 06:22:26,513 [root] DEBUG: set_caller_info: Adding region at 0x00D20000 to caller regions list (kernel32::SetErrorMode).
2019-10-10 06:22:26,543 [root] DEBUG: set_caller_info: Adding region at 0x03F20000 to caller regions list (kernel32::SetErrorMode).
2019-10-10 06:22:26,559 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:26,575 [root] DEBUG: DLL loaded at 0x704C0000: C:\Windows\system32\RICHED32 (0x6000 bytes).
2019-10-10 06:22:26,575 [root] DEBUG: DLL loaded at 0x70440000: C:\Windows\system32\RICHED20 (0x76000 bytes).
2019-10-10 06:22:26,621 [root] DEBUG: set_caller_info: Adding region at 0x00210000 to caller regions list (ntdll::memcpy).
2019-10-10 06:22:26,684 [root] DEBUG: DLL loaded at 0x70420000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-10-10 06:22:26,732 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-10 06:22:26,746 [root] DEBUG: DLL loaded at 0x703C0000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-10 06:22:26,746 [root] DEBUG: DLL loaded at 0x703A0000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-10 06:22:26,746 [root] DEBUG: DLL unloaded from 0x703C0000.
2019-10-10 06:22:26,746 [root] DEBUG: DLL loaded at 0x70390000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-10 06:22:26,746 [root] DEBUG: DLL loaded at 0x70380000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-10 06:22:26,746 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 06:22:26,746 [root] DEBUG: DLL unloaded from 0x703A0000.
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x70370000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-10 06:22:26,763 [root] DEBUG: DLL loaded at 0x70360000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-10 06:22:26,778 [root] DEBUG: DLL loaded at 0x70320000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-10 06:22:26,809 [root] DEBUG: DLL loaded at 0x702C0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-10-10 06:22:26,825 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 06:22:26,825 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 06:22:26,825 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 06:22:26,841 [root] DEBUG: DLL loaded at 0x702B0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2019-10-10 06:22:26,841 [root] DEBUG: DLL unloaded from 0x704E0000.
2019-10-10 06:22:26,841 [root] DEBUG: DLL unloaded from 0x70420000.
2019-10-10 06:22:29,134 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 06:22:29,180 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-10 06:22:29,336 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:30,740 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 06:22:32,628 [root] DEBUG: DLL loaded at 0x701D0000: C:\Windows\system32\ntshrui (0x70000 bytes).
2019-10-10 06:22:32,644 [root] DEBUG: DLL loaded at 0x70290000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-10-10 06:22:32,660 [root] DEBUG: DLL loaded at 0x70280000: C:\Windows\system32\cscapi (0xb000 bytes).
2019-10-10 06:22:32,674 [root] DEBUG: DLL loaded at 0x70270000: C:\Windows\system32\slc (0xa000 bytes).
2019-10-10 06:22:32,690 [root] DEBUG: DLL loaded at 0x70260000: C:\Windows\system32\netutils (0x9000 bytes).
2019-10-10 06:22:32,706 [root] DEBUG: DLL unloaded from 0x010F0000.
2019-10-10 06:22:32,721 [root] DEBUG: DLL loaded at 0x70250000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-10 06:22:32,737 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:22:32,737 [root] DEBUG: DLL unloaded from 0x704C0000.
2019-10-10 06:22:32,737 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2684
2019-10-10 06:22:32,737 [root] DEBUG: GetHookCallerBase: thread 2748 (handle 0x0), return address 0x01235D02, allocation base 0x010F0000.
2019-10-10 06:22:32,737 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x010F0000.
2019-10-10 06:22:32,737 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 06:22:32,737 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x010F0000.
2019-10-10 06:22:32,737 [root] DEBUG: DumpProcess: Module entry point VA is 0x001480A3.
2019-10-10 06:22:32,783 [root] DEBUG: DLL loaded at 0x70450000: C:\Windows\system32\mscms (0x79000 bytes).
2019-10-10 06:22:32,799 [root] INFO: Added new CAPE file to list with path: C:\qjbdNd\CAPE\2684_1018422481345315104102019
2019-10-10 06:22:32,799 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x243600.
2019-10-10 06:22:32,799 [root] DEBUG: DLL unloaded from 0x724B0000.
2019-10-10 06:22:32,799 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 06:22:32,799 [root] DEBUG: DLL unloaded from 0x749D0000.
2019-10-10 06:22:32,799 [root] INFO: Notified of termination of process with pid 2684.
2019-10-10 06:22:33,252 [root] INFO: Process with pid 2684 has terminated
2019-10-10 06:22:48,213 [root] INFO: Announced 32-bit process name: Adobe_Updater.exe pid: 1356
2019-10-10 06:22:48,213 [lib.api.process] INFO: Option 'password' with value '3456' sent to monitor
2019-10-10 06:22:48,213 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 06:22:48,213 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\noVaUP.dll, loader C:\jyguetdlo\bin\PTZHRkH.exe
2019-10-10 06:22:48,213 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UUwcyt.
2019-10-10 06:22:48,213 [root] DEBUG: Loader: Injecting process 1356 (thread 812) with C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:48,227 [root] DEBUG: Process image base: 0x010F0000
2019-10-10 06:22:48,227 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:48,227 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0135E000 - 0x77110000
2019-10-10 06:22:48,227 [root] DEBUG: InjectDllViaIAT: Allocated 0x290 bytes for new import table at 0x01360000.
2019-10-10 06:22:48,227 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 06:22:48,227 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:48,227 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1356
2019-10-10 06:22:48,227 [root] INFO: Announced 32-bit process name: Adobe_Updater.exe pid: 1356
2019-10-10 06:22:48,227 [lib.api.process] INFO: Option 'password' with value '3456' sent to monitor
2019-10-10 06:22:48,227 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-10 06:22:48,227 [lib.api.process] INFO: 32-bit DLL to inject is C:\jyguetdlo\dll\noVaUP.dll, loader C:\jyguetdlo\bin\PTZHRkH.exe
2019-10-10 06:22:48,259 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UUwcyt.
2019-10-10 06:22:48,259 [root] DEBUG: Loader: Injecting process 1356 (thread 812) with C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:48,259 [root] DEBUG: Process image base: 0x010F0000
2019-10-10 06:22:48,275 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:48,305 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 06:22:48,338 [root] DEBUG: Successfully injected DLL C:\jyguetdlo\dll\noVaUP.dll.
2019-10-10 06:22:48,338 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1356
2019-10-10 06:22:48,338 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 06:22:48,338 [root] DEBUG: CAPE debug - unrecognised key password.
2019-10-10 06:22:48,338 [root] DEBUG: Process dumps enabled.
2019-10-10 06:22:48,338 [root] INFO: Disabling sleep skipping.
2019-10-10 06:22:48,352 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 06:22:48,368 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1356 at 0x747e0000, image base 0x10f0000, stack from 0x466000-0x470000
2019-10-10 06:22:48,384 [root] DEBUG: Commandline: C:\Program Files (x86)\Common Files\Adobe\Updater6\"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US.
2019-10-10 06:22:48,384 [root] INFO: Added new process to list with pid: 1356
2019-10-10 06:22:48,384 [root] INFO: Monitor successfully loaded in process with pid 1356.
2019-10-10 06:22:48,384 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 06:22:48,400 [root] DEBUG: DLL loaded at 0x724B0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2019-10-10 06:22:48,415 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 06:22:48,430 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 06:22:48,430 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 06:22:48,430 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 06:22:48,430 [root] DEBUG: DLL unloaded from 0x724B0000.
2019-10-10 06:22:48,430 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 06:22:48,447 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 06:22:48,447 [root] DEBUG: set_caller_info: Adding region at 0x00680000 to caller regions list (kernel32::SetErrorMode).
2019-10-10 06:22:48,461 [root] DEBUG: set_caller_info: Adding region at 0x045C0000 to caller regions list (kernel32::SetErrorMode).
2019-10-10 06:22:48,477 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:22:48,477 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:48,477 [root] DEBUG: DLL loaded at 0x70700000: C:\Windows\system32\RICHED32 (0x6000 bytes).
2019-10-10 06:22:48,477 [root] DEBUG: DLL loaded at 0x70680000: C:\Windows\system32\RICHED20 (0x76000 bytes).
2019-10-10 06:22:48,493 [root] DEBUG: set_caller_info: Adding region at 0x00370000 to caller regions list (ntdll::memcpy).
2019-10-10 06:22:48,539 [root] DEBUG: set_caller_info: Adding region at 0x00C20000 to caller regions list (user32::SetWindowLongW).
2019-10-10 06:22:48,555 [root] DEBUG: set_caller_info: Adding region at 0x006B0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-10 06:22:48,555 [root] DEBUG: DLL unloaded from 0x772C0000.
2019-10-10 06:22:48,602 [root] DEBUG: DLL loaded at 0x72430000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-10 06:22:48,602 [root] DEBUG: DLL loaded at 0x70660000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2019-10-10 06:22:48,618 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2019-10-10 06:22:48,634 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 06:22:48,634 [root] DEBUG: DLL loaded at 0x70600000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2019-10-10 06:22:48,634 [root] DEBUG: DLL loaded at 0x705E0000: C:\Windows\system32\rasman (0x15000 bytes).
2019-10-10 06:22:48,634 [root] DEBUG: DLL unloaded from 0x70600000.
2019-10-10 06:22:48,634 [root] DEBUG: DLL loaded at 0x705D0000: C:\Windows\system32\rtutils (0xd000 bytes).
2019-10-10 06:22:48,634 [root] DEBUG: DLL unloaded from 0x75600000.
2019-10-10 06:22:48,634 [root] DEBUG: DLL loaded at 0x705C0000: C:\Windows\system32\sensapi (0x6000 bytes).
2019-10-10 06:22:48,634 [root] DEBUG: DLL unloaded from 0x705E0000.
2019-10-10 06:22:48,650 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-10-10 06:22:48,664 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-10-10 06:22:48,664 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-10-10 06:22:48,680 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-10-10 06:22:48,696 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-10-10 06:22:48,711 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-10-10 06:22:48,727 [root] DEBUG: DLL loaded at 0x705B0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-10-10 06:22:48,727 [root] DEBUG: DLL loaded at 0x705A0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2019-10-10 06:22:48,743 [root] DEBUG: DLL loaded at 0x70560000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-10-10 06:22:48,759 [root] DEBUG: DLL unloaded from 0x74F40000.
2019-10-10 06:22:48,884 [root] WARNING: File at path "C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml_" does not exist, skip.
2019-10-10 06:22:49,226 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 06:22:51,068 [root] DEBUG: DLL loaded at 0x704F0000: C:\Windows\system32\ntshrui (0x70000 bytes).
2019-10-10 06:22:51,068 [root] DEBUG: DLL loaded at 0x704D0000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-10-10 06:22:51,068 [root] DEBUG: DLL loaded at 0x70200000: C:\Windows\system32\cscapi (0xb000 bytes).
2019-10-10 06:22:51,068 [root] DEBUG: DLL loaded at 0x701F0000: C:\Windows\system32\slc (0xa000 bytes).
2019-10-10 06:22:51,068 [root] DEBUG: DLL loaded at 0x701E0000: C:\Windows\system32\netutils (0x9000 bytes).
2019-10-10 06:22:51,098 [root] DEBUG: DLL unloaded from 0x010F0000.
2019-10-10 06:22:51,098 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 06:22:51,098 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 06:22:51,098 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 06:22:51,098 [root] DEBUG: DLL loaded at 0x701D0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-10 06:22:51,114 [root] DEBUG: DLL unloaded from 0x70700000.
2019-10-10 06:22:51,114 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 06:22:51,114 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1356
2019-10-10 06:22:51,130 [root] DEBUG: GetHookCallerBase: thread 812 (handle 0x0), return address 0x01235D02, allocation base 0x010F0000.
2019-10-10 06:22:51,145 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x010F0000.
2019-10-10 06:22:51,161 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 06:22:51,161 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x010F0000.
2019-10-10 06:22:51,161 [root] DEBUG: DumpProcess: Module entry point VA is 0x001480A3.
2019-10-10 06:22:51,191 [root] INFO: Added new CAPE file to list with path: C:\qjbdNd\CAPE\1356_1116664949405415104102019
2019-10-10 06:22:51,191 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x243600.
2019-10-10 06:22:51,191 [root] DEBUG: DLL unloaded from 0x724B0000.
2019-10-10 06:22:51,207 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 06:22:51,223 [root] DEBUG: DLL unloaded from 0x749D0000.
2019-10-10 06:22:51,223 [root] INFO: Notified of termination of process with pid 1356.
2019-10-10 06:22:51,551 [root] INFO: Process with pid 1356 has terminated
2019-10-10 06:24:16,555 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-10 06:24:16,586 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-10 06:25:20,641 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 06:25:20,641 [root] INFO: Created shutdown mutex.
2019-10-10 06:25:21,654 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1332
2019-10-10 06:25:21,654 [root] INFO: Terminate event set for process 1332.
2019-10-10 06:25:21,654 [root] DEBUG: Terminate Event: Attempting to dump process 1332
2019-10-10 06:25:21,654 [root] INFO: Terminating process 1332 before shutdown.
2019-10-10 06:25:21,654 [root] INFO: Waiting for process 1332 to exit.
2019-10-10 06:25:21,654 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00210000.
2019-10-10 06:25:21,654 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 06:25:21,654 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00210000.
2019-10-10 06:25:21,654 [root] DEBUG: DumpProcess: Module entry point VA is 0x00004054.
2019-10-10 06:25:21,670 [root] INFO: Added new CAPE file to list with path: C:\qjbdNd\CAPE\1332_150578919021255104102019
2019-10-10 06:25:21,670 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x51600.
2019-10-10 06:25:21,670 [root] DEBUG: Terminate Event: Skipping dump of process 1332
2019-10-10 06:25:21,686 [root] DEBUG: Terminate Event: Shutdown complete for process 1332 but failed to inform analyzer.
2019-10-10 06:25:22,668 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-10 06:25:22,668 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2019-10-10 06:25:22,668 [root] INFO: Terminate event set for process 1632.
2019-10-10 06:25:22,668 [root] INFO: Terminating process 1632 before shutdown.
2019-10-10 06:25:22,668 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 06:25:22,668 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2019-10-10 06:25:22,668 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-10 06:25:22,668 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2019-10-10 06:25:22,668 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-10-10 06:25:22,730 [root] INFO: Added new CAPE file to list with path: C:\qjbdNd\CAPE\1632_48478588422255104102019
2019-10-10 06:25:22,730 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2019-10-10 06:25:22,730 [root] DEBUG: Terminate Event: Skipping dump of process 1632
2019-10-10 06:25:22,730 [root] DEBUG: Terminate Event: Shutdown complete for process 1632 but failed to inform analyzer.
2019-10-10 06:25:23,674 [root] INFO: Shutting down package.
2019-10-10 06:25:23,674 [root] INFO: Stopping auxiliary modules.
2019-10-10 06:25:23,674 [root] INFO: Finishing auxiliary modules.
2019-10-10 06:25:23,674 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 06:25:23,674 [root] WARNING: File at path "C:\qjbdNd\debugger" does not exist, skip.
2019-10-10 06:25:23,674 [root] INFO: Analysis completed.

MalScore

8.5

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-10 05:21:55 2019-10-10 05:25:37

File Details

File Name 1m2Smart.pdf
File Size 98001 bytes
File Type PDF document, version 1.5
MD5 efc7152163e11a028e9aaee9e9d19a2a
SHA1 37e6b1ff2dc6c436822b957f59db4670aeee3897
SHA256 e78610bc3c1d77392f28aa036bcef772d88a7cb17682a0b0d9350faed8e38d62
SHA512 d90c5f48595c97d10b3c016e9c614c7eae93d33cdcba50a67d8c770ef7aea31675f018fcd83d03c8b1a7d89c2314c3f4c2872479133a4ae3d70d8a98b69c19fb
CRC32 51EB2F9F
Ssdeep 1536:i8+6MZHdr4WiqRXqvAX3mpsa3kqiklkBtLw21tGBilm34sMYSq8Qd21mzBOBMW:i76MxH8vAX2phetLXGBi8IsMjqVd2Qz8
TrID
  • 100.0% (.PDF) Adobe Portable Document Format (5000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: Adobe_Updater.exe, PID 2684
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
DeletedFile: C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
DeletedFile: C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
DeletedFile: C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
DeletedFile: C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
DeletedFile: C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml
DeletedFile: C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml_
DeletedFile: C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml.0
DeletedFile: C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml_
DeletedFile: C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.sig
DeletedFile: C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml
DeletedFile: C:\Users\user\AppData\Local\Temp\AdobeUpdater6.rbt
DeletedFile: C:\ProgramData\AdobeUpdater6.rbt
Dynamic (imported) function loading detected
DynamicLoader: PPKLite.api/PlugInMain
DynamicLoader: AcroForm.api/PlugInMain
DynamicLoader: ieframe.dll/IEIsProtectedModeProcess
DynamicLoader: ieframe.dll/IEIsProtectedModeProcess
DynamicLoader: DigSig.api/PlugInMain
DynamicLoader: EScript.api/PlugInMain
DynamicLoader: ieframe.dll/IEIsProtectedModeProcess
DynamicLoader: cryptocme2.dll/R_FIPS140_MODULE_set_failure_reason_cb
DynamicLoader: cryptocme2.dll/R_FIPS140_MODULE_get_supported_interfaces
DynamicLoader: ccme_base.dll/R_FIPS140_MODULE_set_failure_reason_cb
DynamicLoader: ccme_base.dll/R_FIPS140_MODULE_get_supported_interfaces
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: ADMPlugin.apl/main
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: UxTheme.dll/DrawThemeBackground
DynamicLoader: UxTheme.dll/GetThemeColor
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: UxTheme.dll/GetThemePartSize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: UxTheme.dll/CloseThemeData
DynamicLoader: UxTheme.dll/DrawThemeBackground
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/ImageList_Create
DynamicLoader: COMCTL32.dll/ImageList_ReplaceIcon
DynamicLoader: COMCTL32.dll/ImageList_Draw
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: COMCTL32.dll/ImageList_Remove
DynamicLoader: COMCTL32.dll/ImageList_Destroy
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: USER32.dll/GetGUIThreadInfo
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BeginBufferedPaint
DynamicLoader: UxTheme.dll/EndBufferedPaint
DynamicLoader: sqlite.dll/sqlite3_open_v2
DynamicLoader: sqlite.dll/sqlite3_create_function
DynamicLoader: sqlite.dll/sqlite3_busy_handler
DynamicLoader: sqlite.dll/sqlite3_prepare_v2
DynamicLoader: sqlite.dll/sqlite3_step
DynamicLoader: sqlite.dll/sqlite3_reset
DynamicLoader: sqlite.dll/sqlite3_finalize
DynamicLoader: sqlite.dll/sqlite3_close
DynamicLoader: sqlite.dll/sqlite3_get_autocommit
DynamicLoader: sqlite.dll/sqlite3_exec
DynamicLoader: sqlite.dll/sqlite3_changes
DynamicLoader: sqlite.dll/sqlite3_bind_int64
DynamicLoader: sqlite.dll/sqlite3_bind_text
DynamicLoader: sqlite.dll/sqlite3_bind_null
DynamicLoader: sqlite.dll/sqlite3_bind_int
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: SHELL32.dll/DllGetClassObject
DynamicLoader: Updater.api/PlugInMain
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: AdobeUpdater.dll/AUMDownloadMissingComponents
DynamicLoader: AdobeUpdater.dll/AUMTriggerUpdateCheck
DynamicLoader: AdobeUpdater.dll/AUMDoPluginAction
DynamicLoader: AdobeUpdater.dll/AUMRegisterApplication
DynamicLoader: AdobeUpdater.dll/AUMUnRegisterApplication
DynamicLoader: ieframe.dll/IEIsProtectedModeProcess
DynamicLoader: ieframe.dll/IEIsProtectedModeProcess
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: mscms.dll/CloseColorProfile
DynamicLoader: mscms.dll/DeleteColorTransform
DynamicLoader: mscms.dll/TranslateBitmapBits
DynamicLoader: mscms.dll/TranslateColors
DynamicLoader: mscms.dll/CheckBitmapBits
DynamicLoader: mscms.dll/InstallColorProfileW
DynamicLoader: mscms.dll/UninstallColorProfileW
DynamicLoader: mscms.dll/EnumColorProfilesW
DynamicLoader: mscms.dll/GetStandardColorSpaceProfileW
DynamicLoader: mscms.dll/GetColorProfileHeader
DynamicLoader: mscms.dll/GetColorDirectoryW
DynamicLoader: mscms.dll/CreateProfileFromLogColorSpaceW
DynamicLoader: mscms.dll/CreateMultiProfileTransform
DynamicLoader: mscms.dll/InternalGetDeviceConfig
DynamicLoader: mscms.dll/WcsOpenColorProfileW
DynamicLoader: mscms.dll/WcsGetDefaultColorProfileSize
DynamicLoader: mscms.dll/WcsGetDefaultColorProfile
DynamicLoader: mscms.dll/WcsGetDefaultRenderingIntent
DynamicLoader: mscms.dll/WcsCreateIccProfile
DynamicLoader: mscms.dll/GetColorProfileFromHandle
DynamicLoader: mscms.dll/WcsGetUsePerUserProfiles
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: COMCTL32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: COMCTL32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/GetSystemDefaultUILanguage
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.dll/GetAdaptersAddresses
DynamicLoader: dhcpcsvc.DLL/DhcpRequestParams
DynamicLoader: OLEAUT32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: PROPSYS.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: PROPSYS.dll/PSCreatePropertyStoreFromObject
DynamicLoader: PROPSYS.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: PROPSYS.dll/PropVariantToBoolean
DynamicLoader: PROPSYS.dll/InitPropVariantFromBuffer
DynamicLoader: PROPSYS.dll/PropVariantToBuffer
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: COMCTL32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: srvcli.dll/NetShareGetInfo
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: COMCTL32.dll/
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: COMCTL32.dll/
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: COMCTL32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: COMCTL32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: COMCTL32.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/GetSystemDefaultUILanguage
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetFileSizeEx
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: COMCTL32.dll/InitCommonControlsEx
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesW
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: SHELL32.dll/
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: PROPSYS.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: PROPSYS.dll/PSCreatePropertyStoreFromObject
DynamicLoader: PROPSYS.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: PROPSYS.dll/PropVariantToBoolean
DynamicLoader: PROPSYS.dll/InitPropVariantFromBuffer
DynamicLoader: PROPSYS.dll/PropVariantToBuffer
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: COMCTL32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: srvcli.dll/NetShareGetInfo
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: COMCTL32.dll/
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: COMCTL32.dll/
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
Performs HTTP requests potentially not found in PCAP.
url: swupmf.adobe.com:80//manifest/60/win/reader9rdr-en_US.upd
url: swupmf.adobe.com:80//manifest/60/win/AdobeUpdater.upd
url: swupmf.adobe.com:80//manifest/60/win/AdobeUpdater.upd
A process created a hidden window
Process: AcroRd32.exe -> "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
Process: AcroRd32.exe -> "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
The PDF file contains suspicious characteristics
single_page: PDF contains one page. Many malicious PDFs only have one page.
Likely virus infection of existing system binary
file: c:\users\user\appdata\local\adobe\updater6\autrans.xml_

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.212.229.74 [VT] Netherlands

DNS

Name Response Post-Analysis Lookup
swupmf.adobe.com [VT] CNAME ssl.adobe.com.edgekey.net [VT]
CNAME e4578.dscb.akamaiedge.net [VT]
A 23.212.229.74 [VT]

Summary

PDF Information

Creator \x80\xeb;\x95\x8f\x01\xefr\xbf"\xd0o6\x91%\xb1\xec\x95~\x8b\x84E82\xd6\x9c
Producer F"\x02\x9b\xbf\x03\xc2\x7f\x899\xe0j \x85H\xf3\x88\xc8\x18\xd4\xe1\x0c\x18w\xa5\xc0\x19c\xdd\x01\xea\xb33\xdc<\x8e\xc4\xdf\xe0+\xed\xa1\x17\xbd\xf9;\xc2\x9e\xa0o\xf8\xd2Yi@\x07\xda:\x8e~\x9e?\x168k\x81k\x0f\xd0\x972\xa6w-\xacL\xf6He}\x04\x81\x0eu\x8f\xd2\xd8
Author \x80\xeb;\x95\x8f\x01\xefr\xbf"\xd0o6\x91%\xb1\xec\x95~\x8b\x84E82\xd6\x9c
Total Entropy 7.982553
Entropy In Streams 7.997811
Entropy Out of Streams 5.341248
Count of "%% EOF" 1
PDF Header %PDF-1.5
Data After EOF 0 bytes
File Size 98001 bytes
Number of Pages 1

Keyword Counts

Keyword Count
/ObjStm 0
/AcroForm 0
xref 1
obj 23
/JS 0
stream 6
endobj 23
/OpenAction 0
/JavaScript 0
endstream 6
/Page 1
/RichMedia 0
startxref 1
/JBIG2Decode 0
/EmbeddedFile 0
/Encrypt 1
/AA 0
/XFA 0
/Colors > 2^24 0
/Launch 0
trailer 1

@5~9~
!Y*<y
This file is not on VirusTotal.

Process Tree


AcroRd32.exe, PID: 1332, Parent PID: 2480
Full Path: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
Command Line: "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\1m2Smart.pdf"
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
Adobe_Updater.exe, PID: 2684, Parent PID: 1332
Full Path: C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
Command Line: "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
Adobe_Updater.exe, PID: 1356, Parent PID: 1332
Full Path: C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
Command Line: "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.212.229.74 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.21 49193 23.212.229.74 swupmf.adobe.com 80
192.168.35.21 49194 23.212.229.74 swupmf.adobe.com 80
192.168.35.21 49207 23.212.229.74 swupmf.adobe.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
swupmf.adobe.com [VT] CNAME ssl.adobe.com.edgekey.net [VT]
CNAME e4578.dscb.akamaiedge.net [VT]
A 23.212.229.74 [VT]

HTTP Requests

URI Data
http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
GET /manifest/60/win/reader9rdr-en_US.upd HTTP/1.1
Accept: *
User-Agent: Adobe Update Manager 6
Host: swupmf.adobe.com

http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
GET /manifest/60/win/AdobeUpdater.upd HTTP/1.1
Accept: *
User-Agent: Adobe Update Manager 6
Host: swupmf.adobe.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name SharedDataEvents
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
File Size 3072 bytes
File Type SQLite 3.x database
MD5 306eb129b900e24635cd2930f0f04c2e
SHA1 0239e72d27c52b9abe95fad7090e9416d22e6534
SHA256 0ad230f05a7d07a7016c65d30976cd65d0ab78f6189e386ac3bf69b3c6893a1f
CRC32 B57E766A
Ssdeep 24:r2Rx/XYKQvGJF7ursClSDj1jEDcvYDj14c:yl2GL7msCMSgvYH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name SharedDataEvents
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
File Size 3072 bytes
File Type SQLite 3.x database
MD5 fcb91fe1310b16468e21e49323907c7b
SHA1 dc0157348434bb6efebcefc1b167aa6fa5b9b74a
SHA256 8cb01522f792ff13bd26a67de0e16626947b6c2974f51a0d3f4fd766fa865bed
CRC32 15A820F5
Ssdeep 24:rPRx/XYKQvGJF7urshftDDj1aEDcv3oDj14c:dl2GL7msP7gv3oH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name SharedDataEvents-journal
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
File Size 3088 bytes
File Type data
MD5 d1171caba972ccf7e5411c2d44dfad9d
SHA1 8a3e476e112c7951d8597fb98ba0d032bb9c66b7
SHA256 956c56450262cecc8df678dde1739c90591667abcd13fc6d9591ca439126d45c
CRC32 A410C720
Ssdeep 24:7+t4MDj1jEDcvYDj1wx82Rx/XYKQvGJF7urso:7MtSgvYexzl2GL7mso
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name SharedDataEvents-journal
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
File Size 1024 bytes
File Type data
MD5 d15d3c2bc5b4da89f74d833bf0e55dad
SHA1 ed77d5452c823e46adfd294bac7d3d425d466163
SHA256 7b9439789b0a801f9589df8f2c93392602b2e61ad62866a6bb8ba342eaffdcce
CRC32 65B4109B
Ssdeep 3:7FEG2l/6C0xll:7+/l/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name SharedDataEvents-journal
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
File Size 1024 bytes
File Type data
MD5 8dc6db7a7a393c07aa30e745660cc9b1
SHA1 77e7df553da9a2c716f53b866f9745fe47cbbe6e
SHA256 d00e81ff0077ea5e30c3c3cedfec45036eabe6780b5d40f76bfc50de00174283
CRC32 CC11C535
Ssdeep 3:7FEG2l/5le0xll:7+/l/5E
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name SharedDataEvents-journal
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
File Size 1024 bytes
File Type data
MD5 62742f3790df9b36545c1d1c2ddf38ae
SHA1 58a1010d7cbcdb3b6eef52718cb955d5f4f80f83
SHA256 7873c69a40cd5d8fd8d89aee9eaa385da1d794daff9077b2b2a8a360aba004bf
CRC32 8CBFE89A
Ssdeep 3:7FEG2l/XvSllm5ll:7+/l/Xu
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name SharedDataEvents-journal
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents-journal
File Size 1024 bytes
File Type data
MD5 c04a048fad65afa1ec4c49a2d1fbaf01
SHA1 bc4e12b0b8a712f9520317278e164cbb4f8099e7
SHA256 d266f3a7f1018ce748762f9f62a1cb4c0e6f3c94de1f611fd7f8202ae266d9ec
CRC32 B69E3A03
Ssdeep 3:7FEG2l/5l6u5ll:7+/l/5
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name UserCache.bin
Associated Filenames
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin
C:\Users\user\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin
File Size 56179 bytes
File Type data
MD5 8c188ac5f19a4347d24bb39c24ad66bd
SHA1 8ac56c008ba314e31f6756d1376fa3514d41d88b
SHA256 ae72898125661a5d383970f70137405d804585ecb183d92d7a74f727654c39fe
CRC32 D114B459
Ssdeep 768:OIlwCakRJvDt3XV6nuukunCaC86ROdlRYyu:1wCakRJLt3XVAaunCatNTK
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 141 bytes
File Type XML 1.0 document, ASCII text
MD5 9cd49a3300bd539a43fe1d1d861bfbdf
SHA1 1f914131b57d8f6e644c3c650546b5da75fe820e
SHA256 d44d0ed609da468b3cf881eb46ddd379d1e53326036b190d8d8560fee73c532b
CRC32 F288FEE9
Ssdeep 3:vFWWMNHU8LdgC/Zw8b6Cw0IAucpkVkE2J5kHayRf/gMJ+vZE7bn:TMVBdxwle9uOk/23kHayt4M0M
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 164 bytes
File Type XML 1.0 document, ASCII text
MD5 f8b6f7bedff6f4a40d4ad073da387d24
SHA1 13eaa6d7067a6ec7ff8674f6d6018f14e6a8a6fd
SHA256 bb36a7632b594658beba34e81a077cf83332bc6d59afb535243191cef6db70ab
CRC32 C3B3F019
Ssdeep 3:vFWWMNHU8LdgC/Zw8b6Cw0IAucpkVkE2J5kHayRf/gMJ+vZEXsuJS7bn:TMVBdxwle9uOk/23kHayt4M0RuJY
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 197 bytes
File Type XML 1.0 document, ASCII text
MD5 7baaab500a5b342588416929ec58415b
SHA1 1fe14329ee015ced298f7fd691172642fd4c216f
SHA256 c901f4faeebef941d64c0af686d6c30da6b43dda9e3c71c2bbc89632ae6041ed
CRC32 9976FB2A
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrM:TMHdx7U14buJX1UI
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 226 bytes
File Type XML 1.0 document, ASCII text
MD5 f0dadee3baaed64da84a3b5eab72845a
SHA1 f3c8e23359c437a27bee87f487d776edfb12021b
SHA256 5cefbe85c95dcaec905c6ac3e7e2b028139d678111143dc8f41c6deff3221ab7
CRC32 5665246F
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1sPu1WDA:TMHdx7U14buJX1UC50
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>0</SilentCheck>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 261 bytes
File Type XML 1.0 document, ASCII text
MD5 2c37eb858ea506ad4c1f61dd51ecd7bb
SHA1 6c5d37f53d4fd3ab77b3fbe002ee5c40ab62a4ad
SHA256 8e3d4f3eb4cb482156f68e14dd00b4754472d259842c6620ec49b17f50e124de
CRC32 6B5AD32B
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1sPu1Wn7qj6kO:TMHdx7U14buJX1UC5G6kO
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>0</SilentCheck>
<ConnectionType>0</ConnectionType>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 279 bytes
File Type XML 1.0 document, ASCII text
MD5 4a731bf60bd15a04f09580cff994c5c2
SHA1 32d0c74c9b508978d598b1480b5a60db83544c0a
SHA256 36561dcc2adfb795352a8721813e9aa1fc669ef29bb9ce2e4fdb67142c82c320
CRC32 53DAA5A1
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1sPu1Wn7qjDrLl:TMHdx7U14buJX1UC5GDfl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>0</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch></Launch>
</AdobeUpdater>
File name aum.log
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\aum.log
File Size 1168 bytes
File Type ASCII text, with CRLF line terminators
MD5 144868261757e784ddd03974b57c66fb
SHA1 d900558c34277740defd0949fb7873a3003b7c3a
SHA256 6f192f7c0ecbfdcf38a14606636c24d5ee9b67c4e54f750cd20d53426c186e31
CRC32 4E519EF4
Ssdeep 24:dJNMdLBmjbZ/8ZQbcrOsZUTNQbVurOZOZUTAblTRx:dJOdLub+ZQbcysihQbVuyZOiETRx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
2019-10-10T15:22:26: >>> Adobe Updater Log Begin >>>
2019-10-10T15:22:26: cmdline option: -logFile = C:\Users\user\AppData\Local\Adobe\Updater6\aum.log
2019-10-10T15:22:26: cmdline option: -logLevel = 2
2019-10-10T15:22:26: Display Language requested = 
2019-10-10T15:22:27: Valid AppID added from global xml file = reader9rdr-en_US
2019-10-10T15:22:27: Could not load adobe_aum2pcd.dll
2019-10-10T15:22:27: No Startup mode specified.
2019-10-10T15:22:34: GetAppIDUpdates: getting available update info for AppID: reader9rdr-en_US
2019-10-10T15:53:17: GetAppIDUpdates: getting .upd file: http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
2019-10-10T15:53:17: GetAppIDUpdates: GetManifestProcessingError = 3
2019-10-10T15:53:17: GetAppIDUpdates: getting available update info for AppID: AdobeUpdater
2019-10-10T15:53:18: GetAppIDUpdates: getting .upd file: http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
2019-10-10T15:53:18: GetAppIDUpdates: GetManifestProcessingError = 3
2019-10-10T15:53:21: sLaunchMode is = 
2019-10-10T15:53:24: No manual/schedule workflow to process next
2019-10-10T15:53:34: <<< Adobe Updater Log End <<<


File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 288 bytes
File Type XML 1.0 document, ASCII text
MD5 93fcf39e287cf5fbca52977cdc0f603a
SHA1 f3bd010eb09f7b813e97c89ed1b890a215a1a49f
SHA256 1e20601dfcd501a475f2915d97be7328dbc455624194ad94325982a8f64289d7
CRC32 1A75FB6C
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1sPu1Wn7qjnoh:TMHdx7U14buJX1UC5GU
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>0</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch>Scheduled</Launch>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 288 bytes
File Type XML 1.0 document, ASCII text
MD5 f9a4946bf91b12edee40849b29357eb0
SHA1 a2a772a2dc65fb412df0f88dcbba9140f0ac2db3
SHA256 297be46b6f069a281f4c8620f89a70cddec0c4fc16465fb11349abf95c62a5e1
CRC32 7E4F9DB6
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1q51Wn7qjnoh:TMHdx7U14buJX1Ue2GU
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>1</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch>Scheduled</Launch>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 315 bytes
File Type XML 1.0 document, ASCII text
MD5 fb2893d2aec0a499d0bcc4650146f8a9
SHA1 8d8cbb03da38b2691170cfabd6f2c1ba6d311f09
SHA256 e000315912533e6c1747d3ec6758cce9b69f0957a7ef4c19409c074c48f96b28
CRC32 9BB8AA8D
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1q51Wn7qjno/N930:TMHdx7U14buJX1Ue2GQ0
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>1</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch>Scheduled</Launch>
<IsFirstRun>0</IsFirstRun>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 342 bytes
File Type XML 1.0 document, ASCII text
MD5 de29cfe2a583f1bbf7341aae0581b6f8
SHA1 47ac9e2a6c0869131ead8b879d7b3f49ff1f83cd
SHA256 d0b78193186991931de2e5350b72f60035a10c2866b7daffcc38c2dcc660f7f9
CRC32 60B4B5AA
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1q51Wn7qjno/N93TcL18G:TMHdx7U14buJX1Ue2GQQuG
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>1</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch>Scheduled</Launch>
<IsFirstRun>0</IsFirstRun>
<InTrayIcon>1</InTrayIcon>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 333 bytes
File Type XML 1.0 document, ASCII text
MD5 460fb2f8982b60a8228e55996e71830b
SHA1 c6ea4c893e276acba8968a758fbbce393ed6017e
SHA256 38d89e2654a2ed63f66ff8340c9205b12ceef66352610ee365036c27ca88ffe7
CRC32 4F2F7158
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1q51Wn7qjDrLjN93TcL18G:TMHdx7U14buJX1Ue2GDfbQuG
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>1</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch></Launch>
<IsFirstRun>0</IsFirstRun>
<InTrayIcon>1</InTrayIcon>
</AdobeUpdater>
File name AdobeUpdaterPrefs.dat
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
File Size 375 bytes
File Type XML 1.0 document, ASCII text
MD5 16c923b53d42e7dc1de2d68d837632d7
SHA1 4168f9feb65cc609703823f5ecea55970396729c
SHA256 87770e38df380171107d23ad256da4fdfedd6cf493ef3d856a517b120045fd82
CRC32 C08628C2
Ssdeep 6:TMVBdxwle9uOk/23kHayt4M0RuJASJ1rAG6FHrpL1q51Wn7qjDrLjN93TcL18jWm:TMHdx7U14buJX1Ue2GDfbQuCu9W0
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AdobeUpdater>
<logFile>C:\Users\user\AppData\Local\Adobe\Updater6\aum.log</logFile>
<logLevel>2</logLevel>
<DisplayLang>en_US</DisplayLang>
<SilentCheck>1</SilentCheck>
<ConnectionType>0</ConnectionType>
<Launch></Launch>
<IsFirstRun>0</IsFirstRun>
<InTrayIcon>1</InTrayIcon>
<LastDateCheck>2019-10-10</LastDateCheck>
</AdobeUpdater>
File name AUTrans.xml
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml.0
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml_
File Size 270 bytes
File Type XML 1.0 document, ASCII text
MD5 04ed38ce472563155aca49ef07663c34
SHA1 cbed1379d7eed337773af479ece0ade86f18b6d7
SHA256 216d48a7e5295961e74dd0b63fd6aeb7d28cf5bd0c266b696ccb7402e3125d7c
CRC32 31153431
Ssdeep 6:TMVBdx5R/GDWAoJ1CxERhFHCq3t5mKuLeyGQXbhvQE1Gj:TMHdx5Re671CxqXHCILm32e5i
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AUTransaction>
<AUClient AppID="AdobeUpdater">
<DisplayName>Adobe Updater</DisplayName>
<InstallPath>C:\Program Files (x86)\Common Files\Adobe\Updater6</InstallPath>
<State>3</State>
<Error>3</Error>
</AUClient>
</AUTransaction>
File name AUTrans.sig
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.sig
File Size 32 bytes
File Type data
MD5 778669d84d08308654ee2a5042e2f900
SHA1 35e619a6824ebad5027f949722a943bec2e5dc32
SHA256 38c7696d305e853163fa80279fc59c703d9b1b3096eac2c62efe5a3b4c2c7041
CRC32 C5C726F8
Ssdeep 3:IzXDdJ:OH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name AUTrans.xml_
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml_
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.xml
File Size 72 bytes
File Type XML 1.0 document, ASCII text
MD5 6cc0cef04360924ec91ce62905e33add
SHA1 1f162d34db290a5280da8bed04212077b66cbeac
SHA256 685b7da59e67b1d6ff9995907ac764936c39910b81ca20c4701810db5c7a1ebd
CRC32 BC90B0E1
Ssdeep 3:vFWWMNHU8LdgC/Z5R1JMK1iJMK3:TMVBdx5R/hGj
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-8" ?>
<AUTransaction></AUTransaction>
File name AUTrans.sig
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\AUTrans.sig
File Size 32 bytes
File Type data
MD5 6a5ca88a70df39d042adffbb9ac761ca
SHA1 c5e2bc0973f6e6254770f3f90503514b3b2d8249
SHA256 c6a5723473734831e724d64103a05c8c42bf9b21d06da3c9d9cfcebf9e5b5cb8
CRC32 ABBFB1B3
Ssdeep 3:Xv6YRV4JQh:Xv5Rieh
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name aum.log
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\aum.log
File Size 2443 bytes
File Type ASCII text, with CRLF line terminators
MD5 b8ebcd77b63ea5ae6c7dfaa8672939f7
SHA1 f54c096461b1bcdd7d1bd67e417f432838de4d26
SHA256 cf663915a74369b9a15282aeb8fc485f0ab85b62bdaf8a8100f1333ee76382e8
CRC32 4FCF6C1F
Ssdeep 48:dJOdLub+ZQbcysihQbVuyZOiETRbJW1zVItQbV1+yZUXilKitkciRBYnx:9kX2Ox1tUTYx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
2019-10-10T15:22:26: >>> Adobe Updater Log Begin >>>
2019-10-10T15:22:26: cmdline option: -logFile = C:\Users\user\AppData\Local\Adobe\Updater6\aum.log
2019-10-10T15:22:26: cmdline option: -logLevel = 2
2019-10-10T15:22:26: Display Language requested = 
2019-10-10T15:22:27: Valid AppID added from global xml file = reader9rdr-en_US
2019-10-10T15:22:27: Could not load adobe_aum2pcd.dll
2019-10-10T15:22:27: No Startup mode specified.
2019-10-10T15:22:34: GetAppIDUpdates: getting available update info for AppID: reader9rdr-en_US
2019-10-10T15:53:17: GetAppIDUpdates: getting .upd file: http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
2019-10-10T15:53:17: GetAppIDUpdates: GetManifestProcessingError = 3
2019-10-10T15:53:17: GetAppIDUpdates: getting available update info for AppID: AdobeUpdater
2019-10-10T15:53:18: GetAppIDUpdates: getting .upd file: http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
2019-10-10T15:53:18: GetAppIDUpdates: GetManifestProcessingError = 3
2019-10-10T15:53:21: sLaunchMode is = 
2019-10-10T15:53:24: No manual/schedule workflow to process next
2019-10-10T15:53:34: <<< Adobe Updater Log End <<<


2019-10-10T15:22:48: >>> Adobe Updater Log Begin >>>
2019-10-10T15:22:48: cmdline option: -logFile = C:\Users\user\AppData\Local\Adobe\Updater6\aum.log
2019-10-10T15:22:48: cmdline option: -logLevel = 2
2019-10-10T15:22:48: Display Language requested = en_US
2019-10-10T15:22:48: Valid AppID added from global xml file = reader9rdr-en_US
2019-10-10T15:22:48: Could not load adobe_aum2pcd.dll
2019-10-10T15:22:48: New AUM launched for schedule update...
2019-10-10T15:22:48: Entering normal workflow...
2019-10-10T15:23:22: GetAppIDUpdates: getting available update info for AppID: AdobeUpdater
2019-10-10T15:53:12: GetAppIDUpdates: getting .upd file: http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd
2019-10-10T15:53:12: GetAppIDUpdates: GetManifestProcessingError = 3
2019-10-10T15:53:25: Result of GetOpenTransaction: = 3
2019-10-10T15:53:32: sLaunchMode is = 
2019-10-10T15:53:35: No manual/schedule workflow to process next
2019-10-10T15:53:35: bDoNormalWF=false
2019-10-10T15:53:35: bHasPendingMissingComp=false
2019-10-10T15:53:35: bProcessExpressTrans=true
2019-10-10T15:53:35: bProcessNormalTrans=false
2019-10-10T15:53:41: Quitting loop from normal WF, no other workflows to process
2019-10-10T15:53:49: <<< Adobe Updater Log End <<<


File name aumLib.log
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Updater6\aumLib.log
File Size 1049 bytes
File Type ASCII text, with CRLF line terminators
MD5 7909aa76a71246e0958eaccf7e0675f4
SHA1 05c4d1b877eb0e3eca156ba4797b2717a6e931dc
SHA256 0349fd07188a35c52a5b2cea7f7802b50cdf3f91c19a6d999e3cc0939c11ad7b
CRC32 10E616F2
Ssdeep 24:HJCeehAMjYUXeaRjpX2fX2HTR24XWOFQX2vFX2vJX6Xsv0HPA2CR1Fh:HJCee+r+jRRB2N+Y5L/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
2019-10-10T15:23:56: >>> Adobe Updater Log Begin >>>
2019-10-10T15:23:56: logFile: = C:\Users\user\AppData\Local\Adobe\Updater6\aumLib.log
2019-10-10T15:23:56: logLevel: = 2
2019-10-10T15:23:56: Vista IE Protected Mode:No
2019-10-10T15:23:56: In AUMDoPluginAction(...)
2019-10-10T15:23:56: appIdentifierreader9rdr-en_US
2019-10-10T15:23:56: Has admin priv.
2019-10-10T15:23:56: ForkUpdater.
2019-10-10T15:23:56: return code = 0(ESD_ERR_OK)
2019-10-10T15:25:02: In AUMTriggerUpdateCheck(...)
2019-10-10T15:25:02: appIdentifierreader9rdr-en_US
2019-10-10T15:25:02: appFolderPathC:\Program Files (x86)\Adobe\Reader 9.0\Reader
2019-10-10T15:25:02: AUMTriggerType = 1
2019-10-10T15:25:02: appDisplayNameAdobe Reader 9
2019-10-10T15:25:02: appDisplayLangen_US
2019-10-10T15:25:02: bOverrideData= true
2019-10-10T15:25:02: Has admin priv.
2019-10-10T15:25:06: Trigger Update: AppIdentifier: reader9rdr-en_US
AppFolder: C:\Program Files (x86)\Adobe\Reader 9.0\Reader
Update Type: =  Scheduled Update
2019-10-10T15:25:19: Launching AUM.
File name updater.log
Associated Filenames
C:\Users\user\AppData\Local\Adobe\Acrobat\9.0\Updater\updater.log
File Size 347 bytes
File Type ASCII text, with CRLF line terminators
MD5 3b77ba058e4f703970b76c0460fa63c6
SHA1 f64bc996e52a73ce15e1276a3254b290464cb7a7
SHA256 1a3c8cf6e0dfaa2a2f697c22a9baee4c287a183e7f4a89265308e93c489b17fe
CRC32 C0E4A0BD
Ssdeep 6:P9AHVt5kD4hK8zfdxTvfWK85LEEEoOvA4FFNpOmHu4FFNplyRRjqXADv:Pi1L24IS/f3aLJ+oggglyRRjqs
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
 : Loading AUM Integration library at path C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll.
 : Successfully loaded AUM integration library
 : Successfully found all library entry points.  Library is valid.
 : Entering GetAppID()
 : AUMDoPluginAction returns => 0
 : Entering GetAppID()
 : AUMTriggerUpdateCheck returns => 0
Sorry! No CAPE files.
Process Name Adobe_Updater.exe
PID 2684
Dump Size 2373120 bytes
Module Path C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
Type PE image: 32-bit executable
MD5 f7d58e14c64551b9c02d3c22281d51fa
SHA1 f1d289638b5ee41262b2b8de05756f8b4b64ec27
SHA256 c73ca753d82455004035d97596cc8e7bc42350805bd47ea355e474efca7bc991
CRC32 C56A93BF
Ssdeep 49152:V8BNBPH3B5f8af+5vbGyiA9pgFnXa4a2Ew3tmWQ68jTMTRYi4r:0Hx53yiKeq4a2EsBmr
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename c73ca753d82455004035d97596cc8e7bc42350805bd47ea355e474efca7bc991
Download
Process Name Adobe_Updater.exe
PID 1356
Dump Size 2373120 bytes
Module Path C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
Type PE image: 32-bit executable
MD5 981e327052015977b1593fa05fb656bb
SHA1 0f933bc44cbb4b8a387306883175a924955d407d
SHA256 84ae817e2d1193715d7afe4e774a041df8b9281ad6ddcd30909091e5c7478735
CRC32 9736EA99
Ssdeep 49152:V8BNBPH3B5f8af+5vbGyiA9pgFnXa4a2Ew3tmWQ68jTMTRYi4f:0Hx53yiKeq4a2EsBmf
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 84ae817e2d1193715d7afe4e774a041df8b9281ad6ddcd30909091e5c7478735
Download
Process Name AcroRd32.exe
PID 1332
Dump Size 333312 bytes
Module Path C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
Type PE image: 32-bit executable
MD5 9e42f3baf7722dfcce33dcf3675d166c
SHA1 13301db9ed646946107b2e79fb230afa98a76598
SHA256 cf38612868db54b21206a45ae27c1a6ff8e7d3ff87d17ab833d483611da59fca
CRC32 6D449214
Ssdeep 1536:iCJNFd4CNIKgamS3L8gOf5BN49aJfXgY1zUTyr5hVa8:i+iA1mCVOh4+XgTTSjM8
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename cf38612868db54b21206a45ae27c1a6ff8e7d3ff87d17ab833d483611da59fca
Download
Process Name explorer.exe
PID 1632
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 4ed504d4fb090a40a415cab83e265980
SHA1 7926aae7bfe3183c2ab4be98bc5f9410a9be532a
SHA256 a81deaa8ec92510ae3fc050ac62fb652b45d653a6220f118cbb40c18d762cca1
CRC32 50B13B66
Ssdeep 49152:kxrceI/lIRYraisQhFCUurvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:GrcPlIWevYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename a81deaa8ec92510ae3fc050ac62fb652b45d653a6220f118cbb40c18d762cca1
Download

Comments



No comments posted

Processing ( 11.983 seconds )

  • 4.5 CAPE
  • 4.095 ProcDump
  • 1.967 BehaviorAnalysis
  • 0.501 Static
  • 0.399 Deduplicate
  • 0.335 Dropped
  • 0.082 TrID
  • 0.051 TargetInfo
  • 0.038 NetworkAnalysis
  • 0.009 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.299 seconds )

  • 0.438 antidbg_windows
  • 0.086 decoy_document
  • 0.08 api_spamming
  • 0.077 stealth_timeout
  • 0.073 antiav_detectreg
  • 0.069 NewtWire Behavior
  • 0.028 infostealer_ftp
  • 0.023 antivm_vbox_window
  • 0.021 Doppelganging
  • 0.021 mimics_filetime
  • 0.02 antivm_generic_disk
  • 0.018 antisandbox_script_timer
  • 0.016 virus
  • 0.016 infostealer_im
  • 0.015 bootkit
  • 0.015 stealth_file
  • 0.015 antianalysis_detectreg
  • 0.014 reads_self
  • 0.013 antivm_generic_scsi
  • 0.012 infostealer_mail
  • 0.01 hancitor_behavior
  • 0.009 antiav_detectfile
  • 0.009 ransomware_files
  • 0.008 injection_createremotethread
  • 0.008 InjectionCreateRemoteThread
  • 0.007 injection_runpe
  • 0.007 InjectionProcessHollowing
  • 0.007 antivm_vbox_keys
  • 0.006 InjectionInterProcess
  • 0.006 infostealer_bitcoin
  • 0.005 antivm_generic_services
  • 0.005 antivm_vmware_keys
  • 0.005 recon_fingerprint
  • 0.004 exploit_heapspray
  • 0.004 antiemu_wine_func
  • 0.004 betabot_behavior
  • 0.004 kibex_behavior
  • 0.004 shifu_behavior
  • 0.004 ransomware_message
  • 0.004 dynamic_function_loading
  • 0.004 persistence_autorun
  • 0.004 antivm_vbox_files
  • 0.004 antivm_xen_keys
  • 0.004 ransomware_extensions
  • 0.003 malicious_dynamic_function_loading
  • 0.003 uac_bypass_eventvwr
  • 0.003 antidebug_guardpages
  • 0.003 stack_pivot
  • 0.003 Extraction
  • 0.003 Raccoon Behavior
  • 0.003 infostealer_browser_password
  • 0.003 vawtrak_behavior
  • 0.003 kovter_behavior
  • 0.003 antivm_parallels_keys
  • 0.003 geodo_banking_trojan
  • 0.003 darkcomet_regkeys
  • 0.002 sets_autoconfig_url
  • 0.002 antivm_vbox_libs
  • 0.002 antiav_avast_libs
  • 0.002 infostealer_browser
  • 0.002 exploit_getbasekerneladdress
  • 0.002 recon_programs
  • 0.002 Vidar Behavior
  • 0.002 exploit_gethaldispatchtable
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_generic_diskreg
  • 0.002 antivm_vpc_keys
  • 0.002 disables_browser_warn
  • 0.001 lsass_credential_dumping
  • 0.001 stack_pivot_file_created
  • 0.001 tinba_behavior
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 rat_luminosity
  • 0.001 RegBinary
  • 0.001 injection_explorer
  • 0.001 modifies_desktop_wallpaper
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 ipc_namedpipe
  • 0.001 exec_crash
  • 0.001 uac_bypass_cmstp
  • 0.001 InjectionSetWindowLong
  • 0.001 neshta_files
  • 0.001 disables_wfp
  • 0.001 cerber_behavior
  • 0.001 antiav_bitdefender_libs
  • 0.001 securityxploded_modules
  • 0.001 antidbg_devices
  • 0.001 antivm_xen_keys
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vmware_files
  • 0.001 modify_proxy
  • 0.001 bypass_firewall
  • 0.001 network_torgateway
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient
  • 0.001 remcos_regkeys

Reporting ( 0.028 seconds )

  • 0.015 CompressResults
  • 0.013 SubmitCAPE
Task ID 94403
Mongo ID 5d9ec0eb2a62a82c531dd34d
Cuckoo release 1.3-CAPE
Delete