Malware Analysis Report

2024-11-30 19:55

Sample ID 220224-rwyy7sedfk
Target 02bd842c7b587c145a18836f8180846c.exe
SHA256 f4d358d649b4194238e4f9ef8fc2722da3aa8fb6a9eb89e590359fbed7205989
Tags
betabot backdoor botnet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4d358d649b4194238e4f9ef8fc2722da3aa8fb6a9eb89e590359fbed7205989

Threat Level: Known bad

The file 02bd842c7b587c145a18836f8180846c.exe was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan

BetaBot

Modifies firewall policy service

Registers COM server for autorun

Sets file execution options in registry

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies Internet Explorer Protected Mode Banner

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies Internet Explorer Protected Mode

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 14:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 14:33

Reported

2022-02-24 14:36

Platform

win7-20220223-es

Max time kernel

4294210s

Max time network

153s

Command Line

taskeng.exe {040ABB88-28D2-41E3-A415-0799580D208A} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Sets file execution options in registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Device Driver Setup 1.2.510.2001 = "C:\\ProgramData\\Device Driver Setup\\uuei551aq.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Device Driver Setup 1.2.510.2001 = "\"C:\\ProgramData\\Device Driver Setup\\uuei551aq.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 864 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 864 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 940 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 940 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 940 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 940 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 940 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 940 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 940 wrote to memory of 1308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 940 wrote to memory of 1308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 940 wrote to memory of 1308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 940 wrote to memory of 1308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 940 wrote to memory of 1308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 940 wrote to memory of 1308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 940 wrote to memory of 524 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\taskeng.exe
PID 940 wrote to memory of 524 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\taskeng.exe
PID 940 wrote to memory of 524 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\taskeng.exe
PID 940 wrote to memory of 524 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\taskeng.exe
PID 940 wrote to memory of 524 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\taskeng.exe
PID 940 wrote to memory of 524 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\taskeng.exe

Processes

C:\Windows\system32\taskeng.exe

taskeng.exe {040ABB88-28D2-41E3-A415-0799580D208A} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe

"C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe"

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task

C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe

"C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.109.209.108:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 eaxses.cat udp
US 8.8.8.8:53 huhujo.cat udp
US 8.8.8.8:53 nknkd.cat udp
US 8.8.8.8:53 gagaxx.cat udp
US 8.8.8.8:53 eaxsess.cat udp
US 8.8.8.8:53 drdrfdd.cat udp
US 8.8.8.8:53 huhujoo.cat udp
US 8.8.8.8:53 nknkdd.cat udp
US 8.8.8.8:53 nknkddx.cat udp
US 8.8.8.8:53 nknkddx2.cat udp

Files

memory/864-54-0x00000000765E1000-0x00000000765E3000-memory.dmp

memory/1200-55-0x0000000000300000-0x0000000000400000-memory.dmp

memory/864-58-0x00000000002E0000-0x00000000002E5000-memory.dmp

memory/1200-56-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-57-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-59-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-60-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-61-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-62-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-63-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-64-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-65-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-66-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-67-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-68-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-70-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/1200-71-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1200-72-0x0000000000270000-0x00000000002D6000-memory.dmp

memory/1200-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1200-74-0x0000000000270000-0x00000000002D6000-memory.dmp

memory/1200-75-0x0000000077E70000-0x0000000077E71000-memory.dmp

memory/1200-79-0x0000000001980000-0x000000000198D000-memory.dmp

memory/1200-78-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/1200-77-0x00000000002AA000-0x00000000002AB000-memory.dmp

memory/1200-80-0x0000000003550000-0x000000000355C000-memory.dmp

memory/940-83-0x0000000077E60000-0x0000000077FE1000-memory.dmp

memory/940-82-0x0000000075491000-0x0000000075493000-memory.dmp

memory/940-84-0x0000000000090000-0x0000000000141000-memory.dmp

memory/940-86-0x00000000001F0000-0x00000000001FD000-memory.dmp

memory/940-87-0x0000000000350000-0x000000000035C000-memory.dmp

memory/940-88-0x00000000000CA000-0x00000000000CB000-memory.dmp

memory/940-89-0x0000000000340000-0x0000000000341000-memory.dmp

memory/940-85-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/940-90-0x0000000000570000-0x0000000000572000-memory.dmp

memory/1308-91-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

memory/1308-92-0x00000000027D0000-0x00000000027D6000-memory.dmp

memory/524-93-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 14:33

Reported

2022-02-24 14:36

Platform

win10v2004-es-20220112

Max time kernel

150s

Max time network

126s

Command Line

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Registers COM server for autorun

persistence

Sets file execution options in registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Device Driver Setup 1.2.510.2001 = "\"C:\\ProgramData\\Device Driver Setup\\5m199o17.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Device Driver Setup 1.2.510.2001 = "C:\\ProgramData\\Device Driver Setup\\5m199o17.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Elevation.tmp C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3632 set thread context of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\next-arrow-default.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\js\nls\eu-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\css\main-selector.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\nls\sk-sk\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\japanese_over.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\en-il\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\sv-se\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\css\main-selector.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\sv-se\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\large_trefoil_2x.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\new_icons_retina.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_folder-default_32.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\Close2x.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\ru-ru\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\css\main-selector.css C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_download_pdf_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\js\nls\root\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\images\example_icons2x.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_delete_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\js\nls\uk-ua\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_auditreport_18.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\ja-jp\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\next-arrow-default.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\fr-fr\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\Close.png C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-press.svg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\files\dev\nls\zh-tw\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\activity-badge\js\nls\es-es\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\[email protected] C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIE3EF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d32.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d42.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d46.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d57.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d98.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9da2.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88EC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d3f.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d49.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d5c.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d8b.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d8e.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d91.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9da4.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA040.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d38.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d97.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4966.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8CB7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-0804-1033-1959-001824311644}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d2d.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d37.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d56.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d7e.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d7e.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9daa.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9da9.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d47.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d68.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d8a.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d8d.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d90.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d99.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9da0.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE350.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d77.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d8f.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d9a.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d2f.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d7f.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d50.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d5d.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d9a.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d3b.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d58.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d64.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9da1.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI122C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFA8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA235.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d41.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d4c.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d5a.HDR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d80.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d92.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\1ce9d9c.HDR C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AC76BA86-0804-1033-1959-001824311644} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\1ce9d39.HDR C:\Windows\system32\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfdf\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroPDF.PDF.1\DocObject C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0\HELPDIR C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID\ = "PDFPrevHndlr.PDFPreviewHandler" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ = "IAccID" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\ProgID\ = "Adobe.AcrobatSearch.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DefaultExtension\ = ".pdf, PDF Files (*.pdf)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ = "Adobe PDF Reader" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400\Atmosphere_3D = "Reader_Big_Features" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithProgids C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ = "CAcroApp" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroAccess.AcrobatAccess.1\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.fdf\OpenWithProgids\AcroExch.FDFDoc = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\ = "PDFShellServer 1.0 Type Library" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ToolboxBitmap32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll, 102" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.fdf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xfdf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AdobeAcrobat.OpenDocuments\CurVer\ = "AdobeAcrobat.OpenDocuments.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\Programmable\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\VersionIndependentProgID\ = "Adobe.Reader.HTMLPreview" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ = "CAcroPDAnnot" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF\CLSID\ = "{CA8A9780-280D-11CF-A24D-444553540000}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\URL Protocol C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\shell\Read\command\command = 3300340054004c006000690060005a00350028004e0033003200260028006a0046007b0029002100520065006100640065007200500072006f006700720061006d00460069006c00650073003e006600570044004b003600510062006e006400390033002600280053005e0046004a006900340030002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xfdf\OpenWithProgids C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroBroker.exe\"" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml.1\shell\Read\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\ = "Adobe Acrobat XML Data Package File" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\OpenWithProgids\AcroExch.SecStore = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\ProgramData\Device Driver Setup\5m199o17.exe N/A
N/A N/A C:\ProgramData\Device Driver Setup\5m199o17.exe N/A
N/A N/A C:\ProgramData\Device Driver Setup\5m199o17.exe N/A
N/A N/A C:\ProgramData\Device Driver Setup\5m199o17.exe N/A
N/A N/A C:\ProgramData\Device Driver Setup\5m199o17.exe N/A
N/A N/A C:\ProgramData\Device Driver Setup\5m199o17.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeMachineAccountPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeSystemProfilePrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeSystemtimePrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeAuditPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeUndockPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeSyncAgentPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeManageVolumePrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3632 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe
PID 3232 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 3232 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 3232 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe C:\Windows\SysWOW64\explorer.exe
PID 1100 wrote to memory of 1820 N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 1100 wrote to memory of 1820 N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 1100 wrote to memory of 3764 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
PID 1100 wrote to memory of 3764 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
PID 1100 wrote to memory of 3964 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
PID 1100 wrote to memory of 3964 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
PID 3764 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1200 wrote to memory of 8 N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 1200 wrote to memory of 8 N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 1200 wrote to memory of 8 N/A C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PID 3764 wrote to memory of 3732 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 3732 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 3732 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 308 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 308 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 308 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3764 wrote to memory of 3456 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI122B.tmp
PID 3764 wrote to memory of 3456 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI122B.tmp
PID 3764 wrote to memory of 3456 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI122B.tmp
PID 2448 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
PID 2448 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
PID 3764 wrote to memory of 216 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
PID 3764 wrote to memory of 216 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
PID 3764 wrote to memory of 216 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe

"C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe"

C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe

"C:\Users\Admin\AppData\Local\Temp\02bd842c7b587c145a18836f8180846c.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1100 -ip 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1112

C:\ProgramData\Device Driver Setup\5m199o17.exe

/prstb

C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe

"C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe" -Embedding

C:\ProgramData\Device Driver Setup\5m199o17.exe

/prstb

C:\ProgramData\Device Driver Setup\5m199o17.exe

/prstb

C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe

"C:\ProgramData\Adobe\ARM\S\26430\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\26430" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 99742CE4491F0D6DEBACBB588560F4D6

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 641BCF5319292F15FD8D1EF6A30FAAB3 E Global\MSI0000

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\26430" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 58060081544A959343BB6ED8627F7E5B

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 69761CD3BD6D6A53B28EA4A86F142681 E Global\MSI0000

C:\Windows\Installer\MSI122B.tmp

"C:\Windows\Installer\MSI122B.tmp" /b 2 120 0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /updateSource:ODSU

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /updateSource:ODSU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

Network

Country Destination Domain Proto
NL 8.248.5.231:80 tcp
US 8.8.8.8:53 ardownload.adobe.com udp
FR 2.22.22.88:80 ardownload.adobe.com tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 13.107.21.200:443 tcp
US 67.24.25.254:80 tcp

Files

memory/3232-130-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/3632-131-0x0000000000AD0000-0x0000000000AD5000-memory.dmp

memory/3232-132-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/3232-133-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3232-134-0x0000000001C80000-0x0000000001CE6000-memory.dmp

memory/3232-135-0x0000000001C80000-0x0000000001CE6000-memory.dmp

memory/3232-138-0x0000000077B64000-0x0000000077B65000-memory.dmp

memory/3232-137-0x0000000001A70000-0x0000000001A7D000-memory.dmp

memory/3232-139-0x0000000003C20000-0x0000000003C21000-memory.dmp

memory/3232-140-0x0000000003C50000-0x0000000003C5C000-memory.dmp

memory/3232-141-0x0000000001CBA000-0x0000000001CBB000-memory.dmp

memory/1100-142-0x0000000000E20000-0x0000000001254000-memory.dmp

memory/1100-143-0x0000000000540000-0x00000000005F1000-memory.dmp

memory/1100-144-0x000000000057A000-0x000000000057B000-memory.dmp

memory/1100-145-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/3764-146-0x0000000077B33000-0x0000000077B34000-memory.dmp

memory/3764-147-0x0000000006500000-0x00000000065B1000-memory.dmp

memory/3964-148-0x0000000006BC0000-0x0000000006C71000-memory.dmp

memory/1820-149-0x0000000002950000-0x0000000002A01000-memory.dmp

memory/1100-150-0x0000000006430000-0x0000000006432000-memory.dmp

C:\ProgramData\Device Driver Setup\5m199o17.exe

MD5 02bd842c7b587c145a18836f8180846c
SHA1 9a17bab1f56906321a4574e87b6720ab24946b3d
SHA256 f4d358d649b4194238e4f9ef8fc2722da3aa8fb6a9eb89e590359fbed7205989
SHA512 d8bcad2d452f51bfbfde6dc6546d9893e9a869c7475962626c60b54187d6937f6114aa3ef0bc1fac20f9e55ebdcee952630797dc24cf54f4779230add820c7d2

memory/2148-152-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-153-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-154-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-155-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-156-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-159-0x00007FFA4610D000-0x00007FFA4610E000-memory.dmp

memory/2148-161-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-162-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-163-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

memory/2148-164-0x00007FFA060F0000-0x00007FFA06100000-memory.dmp

C:\ProgramData\Device Driver Setup\5m199o17.exe

MD5 02bd842c7b587c145a18836f8180846c
SHA1 9a17bab1f56906321a4574e87b6720ab24946b3d
SHA256 f4d358d649b4194238e4f9ef8fc2722da3aa8fb6a9eb89e590359fbed7205989
SHA512 d8bcad2d452f51bfbfde6dc6546d9893e9a869c7475962626c60b54187d6937f6114aa3ef0bc1fac20f9e55ebdcee952630797dc24cf54f4779230add820c7d2

C:\ProgramData\Device Driver Setup\5m199o17.exe

MD5 02bd842c7b587c145a18836f8180846c
SHA1 9a17bab1f56906321a4574e87b6720ab24946b3d
SHA256 f4d358d649b4194238e4f9ef8fc2722da3aa8fb6a9eb89e590359fbed7205989
SHA512 d8bcad2d452f51bfbfde6dc6546d9893e9a869c7475962626c60b54187d6937f6114aa3ef0bc1fac20f9e55ebdcee952630797dc24cf54f4779230add820c7d2

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_2079419749121868515718619966411506192663.msi

MD5 daef9610629678de57c4567339f6e52c
SHA1 3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f
SHA256 9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701
SHA512 9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

C:\Windows\Installer\MSIA040.tmp

MD5 fadffef98d0f28368b843c6e9afd9782
SHA1 578101fadf1034c4a928b978260b120b740cdfb9
SHA256 73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512 ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

C:\Windows\Installer\MSIA040.tmp

MD5 fadffef98d0f28368b843c6e9afd9782
SHA1 578101fadf1034c4a928b978260b120b740cdfb9
SHA256 73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512 ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

C:\Windows\Installer\MSIA439.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Windows\Installer\MSIA439.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

MD5 10a58da77ae2073d1baf4f13630ea516
SHA1 aed9c3190f2a2508a150b2f03568f9aa0b4f00c0
SHA256 cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8
SHA512 a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d

C:\Windows\Installer\MSIA4F6.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Windows\Installer\MSIA4F6.tmp

MD5 4184a5369d3bd6592b1db5cd2ac465ef
SHA1 be848190344933e38e0d40f0d56854594f113c42
SHA256 5f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA512 49c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 fd59fc6011af0e430fdc63aa15b6de75
SHA1 376a72f8ca10471b391d082e09d357a8a067e432
SHA256 28bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899
SHA512 11df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4

C:\ProgramData\Adobe\ARM\ArmReport.ini

MD5 a7096eb4dc2e60bbcb32a77bb8ce2e00
SHA1 0563b2f73514f09d0a19fbd504fa356c90d66b27
SHA256 499c08ad4305408f21e78d26e748073acb61a4c2917cb3e5bd62578ea5c13af9
SHA512 508e66aa7311691f0b9944876ade5880f5170443b445042b09a447ad5dcaf8079982cea11a0d7e4b71361fdfa083c6ea280761967173fc20d01eb764798ac902

C:\Windows\Installer\MSICB6B.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Windows\Installer\MSICB6B.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Windows\Installer\MSICDFC.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSICDFC.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSICE3B.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSICE3B.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSICE9A.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSICE9A.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSICEAB.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSICEAB.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSID061.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSID061.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSID583.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSID583.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSID64F.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSID64F.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIE350.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIE350.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIE39F.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIE39F.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIE3BF.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIE3BF.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSIE3EF.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIE3EF.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIE49C.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIE49C.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 50b17d217f07d5968b34f42311638f74
SHA1 de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA256 9ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA512 5dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb

C:\Users\Admin\AppData\Local\Temp\AdobeARM_NotLocked.log

MD5 ae67f1d03b3033f08eb8fe76b43feb5b
SHA1 d59f51e5f0c884a06bb1cbc4e8679fddea10da60
SHA256 d945650ca73691bad48a95e57b3da9485a6706d848c62ef0023eafabbfeee546
SHA512 8e4c4c5ebc0818d72124e02c8d81e790cd3887b744a14d2d8f4b06ac99b56204f798ed8ea1c6ec346e224d717c14daafccffa9039866754357bdced50991c697

C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

MD5 864c22fb9a1c0670edf01c6ed3e4fbe4
SHA1 bf636f8baed998a1eb4531af9e833e6d3d8df129
SHA256 b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0
SHA512 ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

C:\Windows\Installer\MSIF306.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Windows\Installer\MSIF306.tmp

MD5 0e91605ee2395145d077adb643609085
SHA1 303263aa6889013ce889bd4ea0324acdf35f29f2
SHA256 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA512 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.ini

MD5 07a93831155298421b5342a9dbe36ef5
SHA1 7181afb21800157c15bf5b29d4a0cff01717621d
SHA256 304193482087b2f62a247dd478e9ea4b7b0d471a693240575d4c151f743a76ce
SHA512 db3e05f5debaf437d8a60cd96469bd3e29eba3d8563bbcae267af0f19f9ddda70605443e363ed6798c4b0150a7299a2967b375345f5739ec1bd9c6494a7af76c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Installer\MSIE01.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSIE01.tmp

MD5 f88c6a79abbb5680ae8628fbc7a6915c
SHA1 6e1eb7906cdae149c6472f394fa8fe8dc274a556
SHA256 5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed
SHA512 33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

C:\Windows\Installer\MSIFA8.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSIFA8.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI1045.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI1045.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI11CD.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI11CD.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI122C.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI122C.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI128B.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI128B.tmp

MD5 67f23a38c85856e8a20e815c548cd424
SHA1 16e8959c52f983e83f688f4cce3487364b1ffd10
SHA256 f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA512 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

C:\Windows\Installer\MSI122B.tmp

MD5 260cc3aeb3c5994f5a07dbeaf1d80d43
SHA1 ed1ff111c77b3422ad282c43cdde06254d1fa8b4
SHA256 65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8
SHA512 4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

C:\Windows\Installer\MSI122B.tmp

MD5 260cc3aeb3c5994f5a07dbeaf1d80d43
SHA1 ed1ff111c77b3422ad282c43cdde06254d1fa8b4
SHA256 65671cf7ac4ae49a411c47592cc337fe0b8ffa3cfb0a1ce5a219cae8c22012b8
SHA512 4aba5ade56ade7b27c93be844d88737ad7b3fa99e1bde484cd97f46b3bf05d82c394310d025167a4702fedba45bcbb14710c94a57b03f8f0e31ca5abba11cadc

C:\Windows\Installer\MSI12EA.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

C:\Windows\Installer\MSI12EA.tmp

MD5 be0b6bea2e4e12bf5d966c6f74fa79b5
SHA1 8468ec23f0a30065eee6913bf8eba62dd79651ec
SHA256 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512 dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b