masslogger | 8bc36f61610304148652cc7748ac1a215290f720d9e5e8df53d1d3b2c3c0e5fd

Analysis

max time kernel
687s
max time network
1589s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06-09-2022 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readerdc64_en_ga_cra_mdr_install.exe
Size

1.2MB
MD5

a2e37f954986af9f88342b20b2965646
SHA1

b298ce01bc93e8391acca3a07c0d06021df30dd6
SHA256

8bc36f61610304148652cc7748ac1a215290f720d9e5e8df53d1d3b2c3c0e5fd
SHA512

a492235f0e6de5f93200e0886bf4d3d77629777f28a5d517e87c3bb45e4266f339ab6a66d889434e617a3e4cec7248b488fb1e5aa0a73b6498ed7ec2d4073e7a
SSDEEP

24576:YDDuX33Kl7LoDozrFH1edTVyJFeMxbsRIHZ9lWzirNj:pHKFcD4FHnU+bhgo

Score

10^/10

masslogger discovery persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

Vidar log file 1 IoCs

Detects a log file produced by Vidar.

Processes:

resource	yara_rule
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Core.cab	vidar_log_file

Executes dropped EXE 14 IoCs

Processes:

E00E35BA-66D7-4867-AD29-E95A88F6748Asetup.exeMSI7FE6.tmpFullTrustNotifier.exeADelRCP.exeSingleClientServicesUpdater.exearmsvc.exeSingleClientServicesUpdater.exeMSI11C9.tmp97B4858D-F842-4497-A9C1-CD7645B6FEEFMcCHSvc.exeMcCHSvc.exeSSScheduler.exearmsvc.exe

pid	process
4864	E00E35BA-66D7-4867-AD29-E95A88F6748A
548	setup.exe
2200	MSI7FE6.tmp
332	FullTrustNotifier.exe
5024	ADelRCP.exe
4964	SingleClientServicesUpdater.exe
4188	armsvc.exe
1640	SingleClientServicesUpdater.exe
4848	MSI11C9.tmp
3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF
5084	McCHSvc.exe
1888	McCHSvc.exe
3252	SSScheduler.exe
4312	armsvc.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{A6EADE66-0000-0000-484E-7E8A45000000}	MsiExec.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{123FCDEB-862C-41BE-A256-19CFF2CA2F44}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C402-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD2C8897-2BE8-459c-B8E4-0D2FCFD341F0}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF76CB60-2EC8-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FF76CB60-2E68-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FF76CB60-2EC8-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\AcrobatInfo.exe\" /PDFShell"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{123FCDEB-862C-41BE-A256-19CFF2CA2F44}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\pdfprevhndlr.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\AcrobatInfo.exe\" /PDFShell"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\ViewerPS.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroBroker.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C400-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{335E7240-6B49-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroBroker.exe\""	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C402-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C402-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C400-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FD2C8897-2BE8-459c-B8E4-0D2FCFD341F0}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD2C8897-2BE8-459c-B8E4-0D2FCFD341F0}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\adobeafp.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D86D3661-4F11-4a9a-AD85-772A52AE6D69}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{72498821-3203-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\pdfprevhndlr.dll"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF76CB60-2E68-101B-B02E-04021C009402}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\adobeafp.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1BFA8EF7-4C47-4FA8-94AA-3F9DFDBE58C5}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{335E7241-6B49-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C400-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{335E7240-6B49-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D86D3661-4F11-4a9a-AD85-772A52AE6D69}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\adobeafp.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ = "C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72498821-3203-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{335E7241-6B49-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll"	msiexec.exe

Sets file execution options in registry 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe\MitigationOptions = "256"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe\MitigationOptions = "256"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe\MitigationOptions = "256"	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97B4858D-F842-4497-A9C1-CD7645B6FEEF

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	97B4858D-F842-4497-A9C1-CD7645B6FEEF

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	process
2264	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	msiexec.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 11 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\atl110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

SingleClientServicesUpdater.exemsiexec.exeMsiExec.exe

description	ioc	process
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-72x72-precomposed.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\mip\js\nls\pl-pl\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	msiexec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png	MsiExec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-filepicker-dropin\1.0.0_1.0.0\translations-ko-KR-json.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-filepicker-dropin\1.0.0_1.0.0\translations-zh-TW-json.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\images\s_radio_unselected_18.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\powered_by_adobe_sign_old.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\plugin.js	MsiExec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\video_play_button.svg	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main-selector.css	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\Action01.sequ	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	msiexec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\libEGL.dll	msiexec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\large_trefoil.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_education_add_signers_64.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\Adobe.Acrobat.Dependencies.manifest	msiexec.exe
File created	C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.sv_SE.txt	msiexec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\my-files-select\js\plugin.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\images\sfs.svg	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\back-arrow-focus.svg	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\mip\images\themes\dark\s_radio_selected_18.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg	MsiExec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\LanguageNames2\DisplayLanguageNames.ar_JO.txt	msiexec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations_retina.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\redact_poster.jpg	MsiExec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\organize_twp.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\whats_new\en-us\Q3_2022_webform.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\share-img.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js	MsiExec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e59cac2.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Accessibility_R_RHP.aapp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.ar_eg.t	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\viewer.aapp26	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.ko.txt	msiexec.exe
File opened for modification	C:\Windows\Installer\e59caaf.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59cb0c.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Accessibility.api_NON_OPT	msiexec.exe
File created	C:\Windows\Installer\e59cac0.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59caf9.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59cb34.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\PDFPrevHndlr.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD3C.tmp	msiexec.exe
File created	C:\Windows\Installer\e59cabb.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59cac4.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ca49.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59caab.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59caf6.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.ar_dz.t	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.zh_tw_s	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\11030.msp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.nl_nl_p	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Acrofx32.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ca3a.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\a3dutils.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\F_CENTRAL_mfcm120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.es_pa.t	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.lv.txt	msiexec.exe
File created	C:\Windows\Installer\e59ca60.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ca4e.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E29.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\manifest.json	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adobeafp.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI530D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_RHP.aapp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.es_ni.t	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.it_it.t	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.nl_nl.t	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c760.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\JSByteCodeWin.bin	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Index_R_RHP.aapp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.en_gb.t	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\home.aapp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.es_pe.t	msiexec.exe
File created	C:\Windows\Installer\e59ca3c.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59cb21.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeXMP.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.nl_nl_p	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ca33.HDR	msiexec.exe
File created	C:\Windows\Installer\e59cb27.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-1033-1033-7760-BC15014EA700}\_SecStoreFile.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXSLE.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ca51.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\certificates_r.aapp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1660 5024 WerFault.exe ADelRCP.exe

pid	pid_target	process	target process
1660	5024	WerFault.exe	ADelRCP.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Acrobat.exe = "11000"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppName = "Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppName = "AcroCEF.exe"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AcroDist.exe = "11000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AcroLicApp.exe = "11000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AASIapp.exe = "11000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppName = "Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Acrodist.exe = "11000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AASIapp.exe = "11000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AcroLicApp.exe = "11000"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppName = "AcroCEF.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\Policy = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Acrobat.exe = "11000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000afa27c7b2fbfd801	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000004b528d7b2fbfd801	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.PDBookmark.1\CLSID\ = "{2EAF0840-690A-101B-9CA8-9240CE2738AE}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FD888B93-6CBF-4A6E-ADCB-652F5E04D0D7}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD7F7648-67FE-4262-9218-41B0CF89D20B}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41738EEA-442F-477F-92CF-2889BD6CD7E7}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Adobe\Acrobat\Exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.FDFDoc\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Sequence\shell\ = "Import_Action"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB992715-BDDD-426C-BEC5-F91698E16389}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.pdfxml.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.HiliteList.1\ = "AcroExch.HiliteList"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Control	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\AcroExch.XFDFDoc	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sequ\OpenWithProgids\Acrobat.Sequence = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\ProgID\ = "AcroExch.PDBookmark"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76D6FD18-D3CF-41DF-AD4D-05CA3C41A9EB}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\68AB67CA044AFFFF4A24CB6120E4FD00\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\Acrobat.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\Programmable\	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Document.DC\shell\Print	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Document.DC\protocol\StdFileEditing\server\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{757633C4-6393-4DD8-BF7B-05F299A3600F}\NumMethods\ = "5"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18AED83F-B7B1-4992-B9E1-D291B1E5E0B4}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD0B497B-DACD-4C71-9EA7-8A6EB3D14999}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Printto\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Implemented Categories	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgIds\Acrobat.Document.DC = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.RMFFile\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.XDPDoc\BrowseInPlace = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.FDFDoc\AcrobatVersion\ = "7.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\pdfprevhndlr.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CE4A8D5-0DF2-40AA-B25D-39EAD2FC884A}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\Shellex\PropertySheetHandlers	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdp\Content Type = "application/vnd.adobe.xdp+xml"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{739FEE01-013B-4DB3-B949-163DC89681A6}\ = "CPDFMakerProxy"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.pdf	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.Time\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.pdfxml.1\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-1033-1033-7760-BC15014EA700}\\_PDFFile.ico,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4C64AF6-D1CD-4D49-AE49-83D87B97CD7C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD9A54C1-7C89-4EDE-A493-2FB4F6BDEB19}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D24CBB-332E-4ABD-8F70-F060998C0167}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E9-4981-101B-9CA8-9240CE2738AE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.FDFDoc\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.App\AcrobatVersion	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\ = "IPDomWord"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC815B7A-828C-47E3-9E95-EF8D93F9A641}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4C64AF6-D1CD-4D49-AE49-83D87B97CD7C}\TypeLib\Version = "1.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47721AF1-B0FC-4911-A009-D2B30ED42639}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.XDPDoc	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document\EditFlags = 00000100	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}	msiexec.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

readerdc64_en_ga_cra_mdr_install.exe97B4858D-F842-4497-A9C1-CD7645B6FEEF

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	97B4858D-F842-4497-A9C1-CD7645B6FEEF
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	97B4858D-F842-4497-A9C1-CD7645B6FEEF
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	97B4858D-F842-4497-A9C1-CD7645B6FEEF

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

readerdc64_en_ga_cra_mdr_install.exeMsiExec.exeMsiExec.exeMsiExec.exeSingleClientServicesUpdater.exeMsiExec.exeMsiExec.exe97B4858D-F842-4497-A9C1-CD7645B6FEEF

pid	process
1896	readerdc64_en_ga_cra_mdr_install.exe
1896	readerdc64_en_ga_cra_mdr_install.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
2292	MsiExec.exe
2292	MsiExec.exe
2292	MsiExec.exe
2292	MsiExec.exe
4964	SingleClientServicesUpdater.exe
4964	SingleClientServicesUpdater.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
4400	MsiExec.exe
4400	MsiExec.exe
4400	MsiExec.exe
4400	MsiExec.exe
3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF
3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF
4400	MsiExec.exe
4400	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

setup.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	548	setup.exe
Token: SeIncreaseQuotaPrivilege	548	setup.exe
Token: SeSecurityPrivilege	1876	msiexec.exe
Token: SeCreateTokenPrivilege	548	setup.exe
Token: SeAssignPrimaryTokenPrivilege	548	setup.exe
Token: SeLockMemoryPrivilege	548	setup.exe
Token: SeIncreaseQuotaPrivilege	548	setup.exe
Token: SeMachineAccountPrivilege	548	setup.exe
Token: SeTcbPrivilege	548	setup.exe
Token: SeSecurityPrivilege	548	setup.exe
Token: SeTakeOwnershipPrivilege	548	setup.exe
Token: SeLoadDriverPrivilege	548	setup.exe
Token: SeSystemProfilePrivilege	548	setup.exe
Token: SeSystemtimePrivilege	548	setup.exe
Token: SeProfSingleProcessPrivilege	548	setup.exe
Token: SeIncBasePriorityPrivilege	548	setup.exe
Token: SeCreatePagefilePrivilege	548	setup.exe
Token: SeCreatePermanentPrivilege	548	setup.exe
Token: SeBackupPrivilege	548	setup.exe
Token: SeRestorePrivilege	548	setup.exe
Token: SeShutdownPrivilege	548	setup.exe
Token: SeDebugPrivilege	548	setup.exe
Token: SeAuditPrivilege	548	setup.exe
Token: SeSystemEnvironmentPrivilege	548	setup.exe
Token: SeChangeNotifyPrivilege	548	setup.exe
Token: SeRemoteShutdownPrivilege	548	setup.exe
Token: SeUndockPrivilege	548	setup.exe
Token: SeSyncAgentPrivilege	548	setup.exe
Token: SeEnableDelegationPrivilege	548	setup.exe
Token: SeManageVolumePrivilege	548	setup.exe
Token: SeImpersonatePrivilege	548	setup.exe
Token: SeCreateGlobalPrivilege	548	setup.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

readerdc64_en_ga_cra_mdr_install.exeE00E35BA-66D7-4867-AD29-E95A88F6748Asetup.exeADelRCP.exe

pid	process
1896	readerdc64_en_ga_cra_mdr_install.exe
1896	readerdc64_en_ga_cra_mdr_install.exe
1896	readerdc64_en_ga_cra_mdr_install.exe
1896	readerdc64_en_ga_cra_mdr_install.exe
4864	E00E35BA-66D7-4867-AD29-E95A88F6748A
548	setup.exe
548	setup.exe
548	setup.exe
5024	ADelRCP.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

readerdc64_en_ga_cra_mdr_install.exeE00E35BA-66D7-4867-AD29-E95A88F6748Amsiexec.exeMsiExec.exeMSI11C9.tmp97B4858D-F842-4497-A9C1-CD7645B6FEEF

description	pid	process	target process
PID 1896 wrote to memory of 4864	1896	readerdc64_en_ga_cra_mdr_install.exe	E00E35BA-66D7-4867-AD29-E95A88F6748A
PID 1896 wrote to memory of 4864	1896	readerdc64_en_ga_cra_mdr_install.exe	E00E35BA-66D7-4867-AD29-E95A88F6748A
PID 1896 wrote to memory of 4864	1896	readerdc64_en_ga_cra_mdr_install.exe	E00E35BA-66D7-4867-AD29-E95A88F6748A
PID 4864 wrote to memory of 548	4864	E00E35BA-66D7-4867-AD29-E95A88F6748A	setup.exe
PID 4864 wrote to memory of 548	4864	E00E35BA-66D7-4867-AD29-E95A88F6748A	setup.exe
PID 1876 wrote to memory of 2264	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2264	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2264	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2556	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2556	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 5040	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 5040	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2292	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2292	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2292	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 2200	1876	msiexec.exe	MSI7FE6.tmp
PID 1876 wrote to memory of 2200	1876	msiexec.exe	MSI7FE6.tmp
PID 1876 wrote to memory of 2200	1876	msiexec.exe	MSI7FE6.tmp
PID 1876 wrote to memory of 332	1876	msiexec.exe	FullTrustNotifier.exe
PID 1876 wrote to memory of 332	1876	msiexec.exe	FullTrustNotifier.exe
PID 1876 wrote to memory of 332	1876	msiexec.exe	FullTrustNotifier.exe
PID 2292 wrote to memory of 5024	2292	MsiExec.exe	ADelRCP.exe
PID 2292 wrote to memory of 5024	2292	MsiExec.exe	ADelRCP.exe
PID 1876 wrote to memory of 4964	1876	msiexec.exe	SingleClientServicesUpdater.exe
PID 1876 wrote to memory of 4964	1876	msiexec.exe	SingleClientServicesUpdater.exe
PID 1876 wrote to memory of 4848	1876	msiexec.exe	MSI11C9.tmp
PID 1876 wrote to memory of 4848	1876	msiexec.exe	MSI11C9.tmp
PID 4848 wrote to memory of 3032	4848	MSI11C9.tmp	msiexec.exe
PID 4848 wrote to memory of 3032	4848	MSI11C9.tmp	msiexec.exe
PID 4848 wrote to memory of 2428	4848	MSI11C9.tmp	cmd.exe
PID 4848 wrote to memory of 2428	4848	MSI11C9.tmp	cmd.exe
PID 1876 wrote to memory of 3452	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 3452	1876	msiexec.exe	MsiExec.exe
PID 1896 wrote to memory of 3412	1896	readerdc64_en_ga_cra_mdr_install.exe	97B4858D-F842-4497-A9C1-CD7645B6FEEF
PID 1896 wrote to memory of 3412	1896	readerdc64_en_ga_cra_mdr_install.exe	97B4858D-F842-4497-A9C1-CD7645B6FEEF
PID 1896 wrote to memory of 3412	1896	readerdc64_en_ga_cra_mdr_install.exe	97B4858D-F842-4497-A9C1-CD7645B6FEEF
PID 3412 wrote to memory of 5084	3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF	McCHSvc.exe
PID 3412 wrote to memory of 5084	3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF	McCHSvc.exe
PID 3412 wrote to memory of 5084	3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF	McCHSvc.exe
PID 1876 wrote to memory of 4400	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 4400	1876	msiexec.exe	MsiExec.exe
PID 3412 wrote to memory of 3252	3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF	SSScheduler.exe
PID 3412 wrote to memory of 3252	3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF	SSScheduler.exe
PID 3412 wrote to memory of 3252	3412	97B4858D-F842-4497-A9C1-CD7645B6FEEF	SSScheduler.exe
PID 1876 wrote to memory of 1628	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 1628	1876	msiexec.exe	MsiExec.exe
PID 1876 wrote to memory of 1628	1876	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\readerdc64_en_ga_cra_mdr_install.exe
"C:\Users\Admin\AppData\Local\Temp\readerdc64_en_ga_cra_mdr_install.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Adobe\7C8C8746-4E83-43BE-A420-0502ABEC2951\22862CCE-97DF-4466-8BB2-A16B2D2AF381\E00E35BA-66D7-4867-AD29-E95A88F6748A
"C:\Users\Admin\AppData\Local\Adobe\7C8C8746-4E83-43BE-A420-0502ABEC2951\22862CCE-97DF-4466-8BB2-A16B2D2AF381\E00E35BA-66D7-4867-AD29-E95A88F6748A" /sAll /re /msi PRODUCT_SOURCE=ACDC OWNERSHIP_STATE=1 UPDATE_MODE=3 EULA_ACCEPT=YES ENABLE_CHROMEEXT=1
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
"C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe" /sAll /re /msi PRODUCT_SOURCE=ACDC OWNERSHIP_STATE=1 UPDATE_MODE=3 EULA_ACCEPT=YES ENABLE_CHROMEEXT=1 DISABLE_CACHE=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:548

C:\Users\Admin\AppData\Local\Adobe\7C8C8746-4E83-43BE-A420-0502ABEC2951\4D675549-DDC9-4144-8F92-DC2B81EB6DCF\97B4858D-F842-4497-A9C1-CD7645B6FEEF
"C:\Users\Admin\AppData\Local\Adobe\7C8C8746-4E83-43BE-A420-0502ABEC2951\4D675549-DDC9-4144-8F92-DC2B81EB6DCF\97B4858D-F842-4497-A9C1-CD7645B6FEEF" /S /noeula /Affid=739 /rid=10 /source="AdobeReader"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412

C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe
"C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe" /Service
3⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\McAfee Security Scan\4.0.135\SSScheduler.exe
"C:\Program Files (x86)\McAfee Security Scan\4.0.135\SSScheduler.exe"
3⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Sets file execution options in registry
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CD81ACCE557E0C15389BFEBB59192538
2⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2264

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E0C1304F3BCC7865D317D68B573951BD
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E350D8B420FA146292CCEFC9A1B8DA26 E Global\MSI0000
2⤵
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8D3947B91BD25932189F05B55458869C E Global\MSI0000
2⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5024 -s 436
4⤵
- Program crash
PID:1660

C:\Windows\Installer\MSI7FE6.tmp
"C:\Windows\Installer\MSI7FE6.tmp" /b 2 120 0
2⤵
- Executes dropped EXE
PID:2200

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" ClearToasts
2⤵
- Executes dropped EXE
PID:332

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe" 22.002.20191 --SingleClientApp
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
--postMsg
3⤵
- Executes dropped EXE
PID:1640

C:\Windows\Installer\MSI11C9.tmp
"C:\Windows\Installer\MSI11C9.tmp" {AC76BA86-1033-1033-7760-BC15014EA700} 1
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\system32\msiexec.exe
msiexec.exe /i {AC76BA86-1033-1033-7760-BC15014EA700} REINSTALLMODE=omus REINSTALL=ALL IS_SEC_INSTALL=1 /qn
3⤵
PID:3032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\Installer\MSI11C9.tmp"
3⤵
PID:2428

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 1B82CB0A77BEB64E0CBD3A97E18BD76B
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3452

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 2C0694673E81CA81CFC277295B32A2D4 E Global\MSI0000
2⤵
- Registers COM server for autorun
- Sets file execution options in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4CAD71565FA8E153A192BC9987DEA42B E Global\MSI0000
2⤵
PID:1628

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:4188

C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe
"C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe"
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\COMMON FILES\ADOBE\ACROBAT\SETUP\{AC76BA86-1033-1033-7760-BC15014EA700}\Abcpy.ini
Filesize
647B

MD5
6e90b40b81420d7c1c040f0a43c8be43

SHA1
0c6dd707c432cfcfb20817a149c597cb7c850e35

SHA256
63932f5fa0df2396731c0b3d4740b7fa985f932e9283f1c31e6f65e883bc6c1c

SHA512
fe077ec6892d5785cc183d71733fce877ff356b566b8cfc740ad4e3a77adfeb2a1c21e09cbf622015c95bd6cae7393b4a08620d20eea38b9a1c7c21b1d8db1ae

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroPro.msi
Filesize
11.1MB

MD5
2a08127cb509b3a8aeb4f5a495aeee02

SHA1
d1a1e2a8d72e017f23502d924d5d0607821648bf

SHA256
f86b86c5d41407ebbfff7632de74375e743784e4f88c1e74c1e24f64467aa7f6

SHA512
e1ae85aef2c979fe567888662ec5af4a64c2a75973eff7a18ad083356f5c01c5a8f1c68b3711a6a62ec5544d63ee978bc26698b47b066404450daac92a850248

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroRdrDCx64Upd2200220191.msp
Filesize
269.5MB

MD5
315f2b694609fb15472f9b5732fe79f8

SHA1
ce27126b4e1d8fbf126acd4fb348e9e55b953232

SHA256
8b9036fc6403694c538e11021cffd9ccfcf7f689b78112cb0431e57360e8cb16

SHA512
bcaea0920ed294747e36f22b1ee22540fcdeb721fca150502eabb27f0b006edb0e459ab0bd08541adfc422b7ba122b27ab6f8d17d6cebcd02d0aa763510cbd87

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Core.cab
Filesize
490.5MB

MD5
b80e8040e63617f75bc0e0720832d904

SHA1
851d2cd29f636637d4a96161904ddf83bd40fcc1

SHA256
f9355903a07c4e4174846e62c4d2419a61f4224c6396c76782af784920c0fa49

SHA512
f16c4de487ddaa7b9b66da789391046bd31092ec4c15bd95a807e5f22abe499a95a5d999c859769e4a9b6e342953119e69021888af95ab52b547560a4a4930b3

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Filesize
626KB

MD5
86b3fa97187d5d8679918c2dc4ed9641

SHA1
f8f614d9a3258cbc72d2695f3fca0c7c5dd5db5d

SHA256
aba0f84acceb95bfff3d176f1f57f78a379748e0a688b645548f8b678343d718

SHA512
da5a430f0cce0d55edf137c5aa0e79362beeb5d3da9383c9c129d6549fef6b3dd8fc013b2c01d6ec56c18c4c157748e450a5787951eff6085272e2e78102744f

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Filesize
626KB

MD5
86b3fa97187d5d8679918c2dc4ed9641

SHA1
f8f614d9a3258cbc72d2695f3fca0c7c5dd5db5d

SHA256
aba0f84acceb95bfff3d176f1f57f78a379748e0a688b645548f8b678343d718

SHA512
da5a430f0cce0d55edf137c5aa0e79362beeb5d3da9383c9c129d6549fef6b3dd8fc013b2c01d6ec56c18c4c157748e450a5787951eff6085272e2e78102744f

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.ini
Filesize
369B

MD5
ce9bdcda61dccfa56c50d4f15d2dec93

SHA1
c0356df22f7a649dff6b7a07403bcbd716745748

SHA256
33d7eabd4a3375ee5459a5a5f0e2aa2b783a838dfbd137597db38c367e088ce4

SHA512
906525c51eac16ce705cb483109aea77a36832196dd1f3aeb4660fcd3cc7a5f52fc450d6137044e036d444b0571f3b818e101a3cd770775801cde742ecd5eca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
Filesize
471B

MD5
9483cb7cbcc079750a8be2d65a83ba06

SHA1
4ffbac4b3c2ef12ea2ae251a4a87a6262b255d3e

SHA256
942b1169623abc59c45692503bb8269631cf0b5b8218b84a9ab9755190300a39

SHA512
b3c1a95490fe0ca3fa0ee12db34d3fcffaa277792471d1b3fa15100c9e520756be5eea7fbce453d69f9723a82faaec4a99649d20c3127f5855aaf663027406ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
Filesize
420B

MD5
98f4e7328bed9bdd7dc97af0579bffab

SHA1
f7f21193155c67d5705b5d738d28bb6749feba48

SHA256
7fa7b450a615ddbc848c3d70000529d704620cb5521e58916b7e996f718f695c

SHA512
10df3048b9466b0573b85a8d4876b9d2f9e5b087b88433057a772a0a4b5a49ab1f12a6f956d4a2b58a4d5bc892ec06df83bb3fbcdc49069b3294bb3e83584ba0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\7C8C8746-4E83-43BE-A420-0502ABEC2951\22862CCE-97DF-4466-8BB2-A16B2D2AF381\E00E35BA-66D7-4867-AD29-E95A88F6748A
Filesize
304.3MB

MD5
65f227aab8cc59de3d4cf66d3be26336

SHA1
e9433ecedeb00f056d6d1ac85570055eb0ec85d3

SHA256
83822e5f53da908d9b558641244caa58a45df8d5cfc7d91ae1963f537ab2a5f8

SHA512
305dec58f943e0ee4435c947eb0f47c4f2181870c7adc2734ca74303876bf6808cb44452dfe5ce009ee2c17126e7bc623a10dff31f3f67ebaf44b8390ecd2ba7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\7C8C8746-4E83-43BE-A420-0502ABEC2951\22862CCE-97DF-4466-8BB2-A16B2D2AF381\E00E35BA-66D7-4867-AD29-E95A88F6748A
Filesize
304.3MB

MD5
65f227aab8cc59de3d4cf66d3be26336

SHA1
e9433ecedeb00f056d6d1ac85570055eb0ec85d3

SHA256
83822e5f53da908d9b558641244caa58a45df8d5cfc7d91ae1963f537ab2a5f8

SHA512
305dec58f943e0ee4435c947eb0f47c4f2181870c7adc2734ca74303876bf6808cb44452dfe5ce009ee2c17126e7bc623a10dff31f3f67ebaf44b8390ecd2ba7

Download Submit
C:\Windows\Installer\MSI16DD.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI17A9.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI18E3.tmp
Filesize
476KB

MD5
3d12ce16d514aae51a33d6ab1246900a

SHA1
db461b94a6514c6471d9bd93efb61ee16a570e48

SHA256
bea39de9621393e7f88845820e878bfb843553f231f8eecc4b8248faa1060941

SHA512
3ee5b12af1623e04cba096a67f2c569d4b2b6af34fcdd153789ddea1b3d856754bf502c7770bb11e97bbe8cd6b76b4913220b2ce80371ff0772f3757e901a8d8

Download Submit
C:\Windows\Installer\MSI19CE.tmp
Filesize
201KB

MD5
0d552389eb576bd568c6729d782a0fe5

SHA1
8b52986c6d52da0a4e57e8f2957f2e96bb69ce8f

SHA256
7b11f38a728b9abbc4732d65d5ef8552b6db0762e6c1ca86cf74f0dba4620d64

SHA512
7a1b07925e912ff0ff5d8eac75dcd83007eecc8e2b63e590389b745160929cc3ec0c973d2c9572c2bcbe22071c08c263d9c501ece3814a343ffbcf59f7214702

Download Submit
C:\Windows\Installer\MSI38C.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI4B9D.tmp
Filesize
140KB

MD5
c5d19778eb2d60a935fa6f3e27823f73

SHA1
f59b6a146d45bc8c94ca5823deb79a7617bdca15

SHA256
2802dcfa78f0b44a00b7def026afa2084bb72baa801c647664b9cc747a6bd08a

SHA512
73e2ffd90881b41383d6aa31b69040f21bdb33ffe052b119cc9f59986e05697f3e52889167f7dfe79aef03509b6cac8e558da6dc07491eceefa5266cbd00cb5b

Download Submit
C:\Windows\Installer\MSI4C1B.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
C:\Windows\Installer\MSI4C7A.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
C:\Windows\Installer\MSI4D75.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
C:\Windows\Installer\MSI4E60.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
C:\Windows\Installer\MSI4F4B.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSI5027.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI5122.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI51DF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI52DA.tmp
Filesize
138KB

MD5
6ffc030b7530a4f7310e10d0a5ea6491

SHA1
d2f737ed65569e1fe1d6db34021bf66f166f9061

SHA256
2a13e8afbb6807bd822a53ac51d4bb340d5e1b1e24eab783b035dc3d5342e4e4

SHA512
56e1255ee36689cdebd9dd5e162ff1007fd7b08193374d16b2e057d08f20b4811ae222478672850a268d2d60f71a014309d71076b90f86b4b6228bd65f3b2d72

Download Submit
C:\Windows\Installer\MSI5963.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI5BA6.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSI5CDF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI5CE0.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI5DF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI748.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI823.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8B1.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI9BC.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSIAE5.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIF737.tmp
Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit
\Windows\Installer\MSI16DD.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI17A9.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI18E3.tmp
Filesize
476KB

MD5
3d12ce16d514aae51a33d6ab1246900a

SHA1
db461b94a6514c6471d9bd93efb61ee16a570e48

SHA256
bea39de9621393e7f88845820e878bfb843553f231f8eecc4b8248faa1060941

SHA512
3ee5b12af1623e04cba096a67f2c569d4b2b6af34fcdd153789ddea1b3d856754bf502c7770bb11e97bbe8cd6b76b4913220b2ce80371ff0772f3757e901a8d8

Download Submit
\Windows\Installer\MSI19CE.tmp
Filesize
201KB

MD5
0d552389eb576bd568c6729d782a0fe5

SHA1
8b52986c6d52da0a4e57e8f2957f2e96bb69ce8f

SHA256
7b11f38a728b9abbc4732d65d5ef8552b6db0762e6c1ca86cf74f0dba4620d64

SHA512
7a1b07925e912ff0ff5d8eac75dcd83007eecc8e2b63e590389b745160929cc3ec0c973d2c9572c2bcbe22071c08c263d9c501ece3814a343ffbcf59f7214702

Download Submit
\Windows\Installer\MSI38C.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI4B9D.tmp
Filesize
140KB

MD5
c5d19778eb2d60a935fa6f3e27823f73

SHA1
f59b6a146d45bc8c94ca5823deb79a7617bdca15

SHA256
2802dcfa78f0b44a00b7def026afa2084bb72baa801c647664b9cc747a6bd08a

SHA512
73e2ffd90881b41383d6aa31b69040f21bdb33ffe052b119cc9f59986e05697f3e52889167f7dfe79aef03509b6cac8e558da6dc07491eceefa5266cbd00cb5b

Download Submit
\Windows\Installer\MSI4C1B.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
\Windows\Installer\MSI4C7A.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
\Windows\Installer\MSI4D75.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
\Windows\Installer\MSI4E60.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
\Windows\Installer\MSI4F4B.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
\Windows\Installer\MSI5027.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI5122.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI51DF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI52DA.tmp
Filesize
138KB

MD5
6ffc030b7530a4f7310e10d0a5ea6491

SHA1
d2f737ed65569e1fe1d6db34021bf66f166f9061

SHA256
2a13e8afbb6807bd822a53ac51d4bb340d5e1b1e24eab783b035dc3d5342e4e4

SHA512
56e1255ee36689cdebd9dd5e162ff1007fd7b08193374d16b2e057d08f20b4811ae222478672850a268d2d60f71a014309d71076b90f86b4b6228bd65f3b2d72

Download Submit
\Windows\Installer\MSI5963.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI5BA6.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
\Windows\Installer\MSI5CDF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI5CE0.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI5DF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI748.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI823.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI8B1.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSI9BC.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
\Windows\Installer\MSIAE5.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
\Windows\Installer\MSIF737.tmp
Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit
memory/332-643-0x0000000000000000-mapping.dmp

Download
memory/548-302-0x0000000000000000-mapping.dmp

Download
memory/1628-1060-0x0000000000000000-mapping.dmp

Download
memory/1896-136-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-123-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-139-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-138-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-256-0x0000000001130000-0x0000000001567000-memory.dmp

Filesize
4.2MB

Download
memory/1896-137-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-167-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-135-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-134-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-133-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-132-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-131-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-168-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-166-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-185-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-169-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-130-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-165-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-164-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-184-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-163-0x0000000000830000-0x0000000000833000-memory.dmp

Filesize
12KB

Download
memory/1896-183-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-154-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-182-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-181-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-157-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-161-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-180-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-162-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-179-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-129-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-160-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-128-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-159-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-158-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-127-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-126-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-156-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-124-0x0000000001130000-0x0000000001567000-memory.dmp

Filesize
4.2MB

Download
memory/1896-155-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-125-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-141-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-122-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-152-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-121-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-153-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-120-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-151-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-147-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-140-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-150-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-178-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-177-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-148-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-149-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-176-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-175-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-146-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-145-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-174-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-144-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-173-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-143-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-172-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-142-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-171-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-170-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/2200-579-0x0000000000000000-mapping.dmp

Download
memory/2264-312-0x0000000000000000-mapping.dmp

Download
memory/2292-519-0x0000000000000000-mapping.dmp

Download
memory/2428-839-0x0000000000000000-mapping.dmp

Download
memory/2556-363-0x0000000000000000-mapping.dmp

Download
memory/3032-836-0x0000000000000000-mapping.dmp

Download
memory/3252-1018-0x0000000000000000-mapping.dmp

Download
memory/3412-843-0x0000000000000000-mapping.dmp

Download
memory/3452-840-0x0000000000000000-mapping.dmp

Download
memory/4400-1013-0x0000000000000000-mapping.dmp

Download
memory/4848-833-0x0000000000000000-mapping.dmp

Download
memory/4864-263-0x0000000000000000-mapping.dmp

Download
memory/4964-795-0x0000000000000000-mapping.dmp

Download
memory/5024-727-0x0000000000000000-mapping.dmp

Download
memory/5040-420-0x0000000000000000-mapping.dmp

Download
memory/5084-951-0x0000000000000000-mapping.dmp

Download