masslogger | 8bc36f61610304148652cc7748ac1a215290f720d9e5e8df53d1d3b2c3c0e5fd

Analysis

max time kernel
1403s
max time network
1227s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

readerdc64_en_ga_cra_mdr_install.exe
Size

1.2MB
MD5

a2e37f954986af9f88342b20b2965646
SHA1

b298ce01bc93e8391acca3a07c0d06021df30dd6
SHA256

8bc36f61610304148652cc7748ac1a215290f720d9e5e8df53d1d3b2c3c0e5fd
SHA512

a492235f0e6de5f93200e0886bf4d3d77629777f28a5d517e87c3bb45e4266f339ab6a66d889434e617a3e4cec7248b488fb1e5aa0a73b6498ed7ec2d4073e7a
SSDEEP

24576:YDDuX33Kl7LoDozrFH1edTVyJFeMxbsRIHZ9lWzirNj:pHKFcD4FHnU+bhgo

Score

10^/10

masslogger discovery persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4824 created 4996 4824 svchost.exe SingleClientServicesUpdater.exe

description	pid	process	target process
PID 4824 created 4996	4824	svchost.exe	SingleClientServicesUpdater.exe

Vidar log file 1 IoCs

Detects a log file produced by Vidar.

Processes:

resource	yara_rule
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Core.cab	vidar_log_file

Executes dropped EXE 14 IoCs

Processes:

3331D374-742A-4505-9E59-9EE3F6A06E3Fsetup.exeMSI85D4.tmpFullTrustNotifier.exeADelRCP.exeSingleClientServicesUpdater.exearmsvc.exeSingleClientServicesUpdater.exeMSIFA99.tmp12A95990-40DE-48D2-BC13-B68F01EC7F04McCHSvc.exeMcCHSvc.exeSSScheduler.exearmsvc.exe

pid	process
3432	3331D374-742A-4505-9E59-9EE3F6A06E3F
2320	setup.exe
2380	MSI85D4.tmp
4776	FullTrustNotifier.exe
4548	ADelRCP.exe
4996	SingleClientServicesUpdater.exe
2316	armsvc.exe
176	SingleClientServicesUpdater.exe
3776	MSIFA99.tmp
876	12A95990-40DE-48D2-BC13-B68F01EC7F04
2884	McCHSvc.exe
2392	McCHSvc.exe
5044	SSScheduler.exe
1668	armsvc.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{A6EADE66-0000-0000-484E-7E8A45000000}	MsiExec.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD2C8897-2BE8-459c-B8E4-0D2FCFD341F0}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\adobeafp.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FF76CB60-2E68-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C400-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BFA8EF7-4C47-4FA8-94AA-3F9DFDBE58C5}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FF76CB60-2EC8-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{335E7241-6B49-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{335E7240-6B49-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D86D3661-4F11-4a9a-AD85-772A52AE6D69}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\AcrobatInfo.exe\" /PDFShell"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ = "C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{335E7241-6B49-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D86D3661-4F11-4a9a-AD85-772A52AE6D69}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\adobeafp.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72498821-3203-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C402-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF76CB60-2EC8-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C400-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{335E7240-6B49-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C402-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1BFA8EF7-4C47-4FA8-94AA-3F9DFDBE58C5}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{123FCDEB-862C-41BE-A256-19CFF2CA2F44}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C400-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{72498821-3203-101B-B02E-04021C009402}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroBroker.exe\""	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85DE1C45-2C66-101B-B02E-04021C009402}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13C3C803-0CEF-4AE1-AF81-B73DD04BCAB5}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF76CB60-2E68-101B-B02E-04021C009402}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroBroker.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EAF0840-690A-101B-9CA8-9240CE2738AE}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32\ = "\"C:\\Program Files\\Adobe\\Acrobat DC\\AcrobatInfo.exe\" /PDFShell"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{335E7240-6B49-101B-9CA8-9240CE2738AE}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FD2C8897-2BE8-459c-B8E4-0D2FCFD341F0}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D86D3661-4F11-4a9a-AD85-772A52AE6D69}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\ViewerPS.dll"	msiexec.exe

Sets file execution options in registry 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe\MitigationOptions = "256"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe\MitigationOptions = "256"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe\MitigationOptions = "256"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroCEF.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe\DisableExceptionChainValidation = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe\MitigationOptions = "256"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroServicesUpdater.exe\MitigationOptions = "256"	MsiExec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSIFA99.tmp12A95990-40DE-48D2-BC13-B68F01EC7F04

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	MSIFA99.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	12A95990-40DE-48D2-BC13-B68F01EC7F04

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	process
1268	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	msiexec.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in System32 directory 11 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\atl110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe
File created	C:\Windows\SysWOW64\Elevation.tmp	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

SingleClientServicesUpdater.exemsiexec.exeMsiExec.exe

description	ioc	process
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-filepicker-dropin\1.0.0_1.0.0\test\DropinHarness\dc-app-launcher.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb	msiexec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\s_sortedby_18.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt	msiexec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic	msiexec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\reviewers.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\test\DropinHarness\private\dc-sdk-dev-manifest.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\s_sendforcomments_18.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\whats_new\en-us\Q3_2022_branding.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_auditreport_18.svg	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg	MsiExec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\Close.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\send-for-sign\images\sfs.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\DirectInk.dll	msiexec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\nl_get.svg	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\combineconvertpdf.svg	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\walk-through\images\dc_share_upsell.png	SingleClientServicesUpdater.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js	MsiExec.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover.png	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\ui-strings.js	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg	MsiExec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\SearchEmail.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\nppdf32.dll	msiexec.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\dc-spectrum-web-components-core.js	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\ui-strings.js	SingleClientServicesUpdater.exe
File opened for modification	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle.cur	SingleClientServicesUpdater.exe
File created	C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\oauthdialog\js\nls\de-de\ui-strings.js	SingleClientServicesUpdater.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adobexmp.dll1	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\ahclient.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Scan_R_RHP.aapp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3677.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT	msiexec.exe
File opened for modification	C:\Windows\Installer\e595434.HDR	msiexec.exe
File created	C:\Windows\Installer\e595463.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e595486.HDR	msiexec.exe
File created	C:\Windows\Installer\e595489.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C7A.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_4bitmapibroker.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.es_bo.t	msiexec.exe
File opened for modification	C:\Windows\Installer\e595414.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\concrt140.dll.F1670FCA_6780_3657_9C04_AF8005AC8143	msiexec.exe
File opened for modification	C:\Windows\Installer\e5953e7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e595478.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e5954b7.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_JP2KLib.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\prcr.x3d1	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.sl.txt	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\home.aapp26	msiexec.exe
File opened for modification	C:\Windows\Installer\e59543f.HDR	msiexec.exe
File created	C:\Windows\Installer\e595446.HDR	msiexec.exe
File created	C:\Windows\Installer\e595461.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.ar_ye.t	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7311.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8839.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeXMP.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e5953cd.HDR	msiexec.exe
File created	C:\Windows\Installer\e595415.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e595459.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE96.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\armsvc.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.ca_es.t	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\displaylanguagenames.es_py.t	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_RHP.aapp	msiexec.exe
File created	C:\Windows\Installer\e5953e1.HDR	msiexec.exe
File created	C:\Windows\Installer\e595407.HDR	msiexec.exe
File created	C:\Windows\Installer\e595452.HDR	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\weblink.api	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Spelling.api	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-1033-1033-7760-BC15014EA700}\_RightsManagementFile.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Checkers.api	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\prcr.x3d	msiexec.exe
File created	C:\Windows\Installer\e5953f2.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\e5953fb.HDR	msiexec.exe
File created	C:\Windows\Installer\e5954a2.HDR	msiexec.exe
File created	C:\Windows\Installer\{AC76BA86-1033-1033-7760-BC15014EA700}\_APIFile.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5357.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icucnv40.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI167.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5953f7.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3666.tmp	msiexec.exe
File created	C:\Windows\Installer\e5953ec.HDR	msiexec.exe
File created	C:\Windows\Installer\e59540c.HDR	msiexec.exe
File created	C:\Windows\Installer\e59544f.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD69.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\msvcp140_codecvt_ids.dll.F1670FCA_6780_3657_9C04_AF8005AC8143	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_difr.x3d	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Acrobat32OL.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e595473.HDR	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5233.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1828 3528 WerFault.exe
1868 4548 WerFault.exe ADelRCP.exe

pid	pid_target	process	target process
1828	3528	WerFault.exe
1868	4548	WerFault.exe	ADelRCP.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppName = "AcroCEF.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Acrodist.exe = "11000"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AcroLicApp.exe = "11000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AASIapp.exe = "11000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AASIapp.exe = "11000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Acrobat.exe = "11000"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppName = "Acrobat.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\AppName = "AdobeCollabSync.exe"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Acrobat.exe = "11000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppName = "Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\AppName = "AcroBroker.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AcroDist.exe = "11000"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{191DA03B-FBE7-4579-B64D-273DC8358F1B}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89322207-5E2E-40CE-90ED-5957180E3B2C}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BE0A2BA1-1E09-4A59-BE36-AA32DC25931B}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppName = "AcroCEF.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AcroLicApp.exe = "11000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF27C7F4-B47A-4011-8177-6408DC5DDB1A}\AppPath = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF"	msiexec.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000a5d56c9fc6c1d801	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000ab346f9fc6c1d801	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeMcCHSvc.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72498821-3203-101B-B02E-04021C009402}\LocalServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB992715-BDDD-426C-BEC5-F91698E16389}\TypeLib\ = "{E64169B3-3592-47D2-816E-602C5C13F328}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.acrobat.aaui+xml	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\OpenWithProgids\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Acrobat.Sequence\shell\Import_Action\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF\CLSID\ = "{CA8A9780-280D-11CF-A24D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\TypeLib\ = "{05BFD3F1-6319-4F30-B752-C7A22889BCC4}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.XDPDoc\shell\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{78165D71-DF28-11d3-9A89-005004A56D53}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroExch.PDBookmark.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.aaui\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-1033-1033-7760-BC15014EA700}\\_729C1918_D5B6_4B24_97EC_8B387AE953A9,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AcroPDF.PDF\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Document.DC\shell\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD069A0-50AA-11D1-B8F0-00A0C9259304}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4C43469-52C7-443A-A2F1-1B53A821BB87}\NumMethods	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdx\OpenWithProgids\Acrobat.AcrobatPDXFileType = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdx	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\ProgID\ = "AdobeAcrobat.OpenDocuments.3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\DocObject	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdx\PDXFileType	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\acrobat2018\shell\open\ddeexec\application\ = "AcroViewA22"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmf\OpenWithProgids	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Sequence\shell\Import_Action	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\InprocHandler32\ = "ole32.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD60A736-62F6-4194-97D0-45F444D9E813}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.pdfxml.1\shell\Print\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD888B93-6CBF-4A6E-ADCB-652F5E04D0D7}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker.1\ = "Broker Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4C43469-52C7-443A-A2F1-1B53A821BB87}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\VersionIndependentProgID\ = "AcroBroker.Broker"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC815B7A-828C-47E3-9E95-EF8D93F9A641}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfdf\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.pdfxml.1\Insertable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA330133017706CB5110E47A00\Legal = "CoreFeatures"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc6f4d12-8575-4cff-9455-cf5774aeb13b}\Programmable	McCHSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.XFDFDoc\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FD2C8897-2BE8-459c-B8E4-0D2FCFD341F0}\InprocServer32\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\adobeafp.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41738EEA-442F-477F-92CF-2889BD6CD7E7}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ = "IGetPDDomNode"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD888B93-6CBF-4A6E-ADCB-652F5E04D0D7}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ = "CAcroApp"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Sequence\shell\Import_Action\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EC-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\ProxyStubClsid	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.RMFFile\EditFlags = 00000100	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\DefaultIcon\ = "C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Control	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6D12C401-4E34-101B-9CA8-9240CE2738AE}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.Document.DC\protocol\StdFileEditing\verb	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\acrobat2018\shell\open\ddeexec\application	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744CAF070E41400\SourceList\Net	msiexec.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

readerdc64_en_ga_cra_mdr_install.exe12A95990-40DE-48D2-BC13-B68F01EC7F04

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	12A95990-40DE-48D2-BC13-B68F01EC7F04
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	12A95990-40DE-48D2-BC13-B68F01EC7F04
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	12A95990-40DE-48D2-BC13-B68F01EC7F04
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	readerdc64_en_ga_cra_mdr_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	readerdc64_en_ga_cra_mdr_install.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

readerdc64_en_ga_cra_mdr_install.exeMsiExec.exeMsiExec.exeMsiExec.exeSingleClientServicesUpdater.exeMsiExec.exeMsiExec.exe12A95990-40DE-48D2-BC13-B68F01EC7F04

pid	process
1516	readerdc64_en_ga_cra_mdr_install.exe
1516	readerdc64_en_ga_cra_mdr_install.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
4640	MsiExec.exe
3336	MsiExec.exe
3336	MsiExec.exe
3336	MsiExec.exe
3336	MsiExec.exe
4996	SingleClientServicesUpdater.exe
4996	SingleClientServicesUpdater.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
876	12A95990-40DE-48D2-BC13-B68F01EC7F04
876	12A95990-40DE-48D2-BC13-B68F01EC7F04
2240	MsiExec.exe
2240	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

setup.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2320	setup.exe
Token: SeIncreaseQuotaPrivilege	2320	setup.exe
Token: SeSecurityPrivilege	4648	msiexec.exe
Token: SeCreateTokenPrivilege	2320	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2320	setup.exe
Token: SeLockMemoryPrivilege	2320	setup.exe
Token: SeIncreaseQuotaPrivilege	2320	setup.exe
Token: SeMachineAccountPrivilege	2320	setup.exe
Token: SeTcbPrivilege	2320	setup.exe
Token: SeSecurityPrivilege	2320	setup.exe
Token: SeTakeOwnershipPrivilege	2320	setup.exe
Token: SeLoadDriverPrivilege	2320	setup.exe
Token: SeSystemProfilePrivilege	2320	setup.exe
Token: SeSystemtimePrivilege	2320	setup.exe
Token: SeProfSingleProcessPrivilege	2320	setup.exe
Token: SeIncBasePriorityPrivilege	2320	setup.exe
Token: SeCreatePagefilePrivilege	2320	setup.exe
Token: SeCreatePermanentPrivilege	2320	setup.exe
Token: SeBackupPrivilege	2320	setup.exe
Token: SeRestorePrivilege	2320	setup.exe
Token: SeShutdownPrivilege	2320	setup.exe
Token: SeDebugPrivilege	2320	setup.exe
Token: SeAuditPrivilege	2320	setup.exe
Token: SeSystemEnvironmentPrivilege	2320	setup.exe
Token: SeChangeNotifyPrivilege	2320	setup.exe
Token: SeRemoteShutdownPrivilege	2320	setup.exe
Token: SeUndockPrivilege	2320	setup.exe
Token: SeSyncAgentPrivilege	2320	setup.exe
Token: SeEnableDelegationPrivilege	2320	setup.exe
Token: SeManageVolumePrivilege	2320	setup.exe
Token: SeImpersonatePrivilege	2320	setup.exe
Token: SeCreateGlobalPrivilege	2320	setup.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

readerdc64_en_ga_cra_mdr_install.exe3331D374-742A-4505-9E59-9EE3F6A06E3Fsetup.exeADelRCP.exe

pid	process
1516	readerdc64_en_ga_cra_mdr_install.exe
1516	readerdc64_en_ga_cra_mdr_install.exe
1516	readerdc64_en_ga_cra_mdr_install.exe
1516	readerdc64_en_ga_cra_mdr_install.exe
3432	3331D374-742A-4505-9E59-9EE3F6A06E3F
2320	setup.exe
2320	setup.exe
2320	setup.exe
4548	ADelRCP.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

readerdc64_en_ga_cra_mdr_install.exe3331D374-742A-4505-9E59-9EE3F6A06E3Fmsiexec.exeMsiExec.exesvchost.exeMSIFA99.tmp12A95990-40DE-48D2-BC13-B68F01EC7F04

description	pid	process	target process
PID 1516 wrote to memory of 3432	1516	readerdc64_en_ga_cra_mdr_install.exe	3331D374-742A-4505-9E59-9EE3F6A06E3F
PID 1516 wrote to memory of 3432	1516	readerdc64_en_ga_cra_mdr_install.exe	3331D374-742A-4505-9E59-9EE3F6A06E3F
PID 1516 wrote to memory of 3432	1516	readerdc64_en_ga_cra_mdr_install.exe	3331D374-742A-4505-9E59-9EE3F6A06E3F
PID 3432 wrote to memory of 2320	3432	3331D374-742A-4505-9E59-9EE3F6A06E3F	setup.exe
PID 3432 wrote to memory of 2320	3432	3331D374-742A-4505-9E59-9EE3F6A06E3F	setup.exe
PID 4648 wrote to memory of 1268	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 1268	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 1268	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 3580	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 3580	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 4640	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 4640	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 3336	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 3336	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 3336	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 2380	4648	msiexec.exe	MSI85D4.tmp
PID 4648 wrote to memory of 2380	4648	msiexec.exe	MSI85D4.tmp
PID 4648 wrote to memory of 2380	4648	msiexec.exe	MSI85D4.tmp
PID 4648 wrote to memory of 4776	4648	msiexec.exe	FullTrustNotifier.exe
PID 4648 wrote to memory of 4776	4648	msiexec.exe	FullTrustNotifier.exe
PID 4648 wrote to memory of 4776	4648	msiexec.exe	FullTrustNotifier.exe
PID 3336 wrote to memory of 4548	3336	MsiExec.exe	ADelRCP.exe
PID 3336 wrote to memory of 4548	3336	MsiExec.exe	ADelRCP.exe
PID 4648 wrote to memory of 4996	4648	msiexec.exe	SingleClientServicesUpdater.exe
PID 4648 wrote to memory of 4996	4648	msiexec.exe	SingleClientServicesUpdater.exe
PID 4824 wrote to memory of 176	4824	svchost.exe	SingleClientServicesUpdater.exe
PID 4824 wrote to memory of 176	4824	svchost.exe	SingleClientServicesUpdater.exe
PID 4648 wrote to memory of 3776	4648	msiexec.exe	MSIFA99.tmp
PID 4648 wrote to memory of 3776	4648	msiexec.exe	MSIFA99.tmp
PID 3776 wrote to memory of 4680	3776	MSIFA99.tmp	msiexec.exe
PID 3776 wrote to memory of 4680	3776	MSIFA99.tmp	msiexec.exe
PID 3776 wrote to memory of 1772	3776	MSIFA99.tmp	cmd.exe
PID 3776 wrote to memory of 1772	3776	MSIFA99.tmp	cmd.exe
PID 4648 wrote to memory of 628	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 628	4648	msiexec.exe	MsiExec.exe
PID 1516 wrote to memory of 876	1516	readerdc64_en_ga_cra_mdr_install.exe	12A95990-40DE-48D2-BC13-B68F01EC7F04
PID 1516 wrote to memory of 876	1516	readerdc64_en_ga_cra_mdr_install.exe	12A95990-40DE-48D2-BC13-B68F01EC7F04
PID 1516 wrote to memory of 876	1516	readerdc64_en_ga_cra_mdr_install.exe	12A95990-40DE-48D2-BC13-B68F01EC7F04
PID 876 wrote to memory of 2884	876	12A95990-40DE-48D2-BC13-B68F01EC7F04	McCHSvc.exe
PID 876 wrote to memory of 2884	876	12A95990-40DE-48D2-BC13-B68F01EC7F04	McCHSvc.exe
PID 876 wrote to memory of 2884	876	12A95990-40DE-48D2-BC13-B68F01EC7F04	McCHSvc.exe
PID 4648 wrote to memory of 2240	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 2240	4648	msiexec.exe	MsiExec.exe
PID 876 wrote to memory of 5044	876	12A95990-40DE-48D2-BC13-B68F01EC7F04	SSScheduler.exe
PID 876 wrote to memory of 5044	876	12A95990-40DE-48D2-BC13-B68F01EC7F04	SSScheduler.exe
PID 876 wrote to memory of 5044	876	12A95990-40DE-48D2-BC13-B68F01EC7F04	SSScheduler.exe
PID 4648 wrote to memory of 1640	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 1640	4648	msiexec.exe	MsiExec.exe
PID 4648 wrote to memory of 1640	4648	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\readerdc64_en_ga_cra_mdr_install.exe
"C:\Users\Admin\AppData\Local\Temp\readerdc64_en_ga_cra_mdr_install.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Adobe\421F1CD2-FF3C-418F-8CDD-AEB3D51F07C8\E9617D42-6985-460A-A162-6A227CA18183\3331D374-742A-4505-9E59-9EE3F6A06E3F
"C:\Users\Admin\AppData\Local\Adobe\421F1CD2-FF3C-418F-8CDD-AEB3D51F07C8\E9617D42-6985-460A-A162-6A227CA18183\3331D374-742A-4505-9E59-9EE3F6A06E3F" /sAll /re /msi PRODUCT_SOURCE=ACDC OWNERSHIP_STATE=1 UPDATE_MODE=3 EULA_ACCEPT=YES ENABLE_CHROMEEXT=1
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
"C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe" /sAll /re /msi PRODUCT_SOURCE=ACDC OWNERSHIP_STATE=1 UPDATE_MODE=3 EULA_ACCEPT=YES ENABLE_CHROMEEXT=1 DISABLE_CACHE=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Users\Admin\AppData\Local\Adobe\421F1CD2-FF3C-418F-8CDD-AEB3D51F07C8\3723EE62-28EE-4486-BB17-6355CA61FFA3\12A95990-40DE-48D2-BC13-B68F01EC7F04
"C:\Users\Admin\AppData\Local\Adobe\421F1CD2-FF3C-418F-8CDD-AEB3D51F07C8\3723EE62-28EE-4486-BB17-6355CA61FFA3\12A95990-40DE-48D2-BC13-B68F01EC7F04" /S /noeula /Affid=739 /rid=10 /source="AdobeReader"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876

C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe
"C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe" /Service
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2884

C:\Program Files (x86)\McAfee Security Scan\4.0.135\SSScheduler.exe
"C:\Program Files (x86)\McAfee Security Scan\4.0.135\SSScheduler.exe"
3⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3528 -ip 3528
1⤵
PID:1380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3528 -s 1772
1⤵
- Program crash
PID:1828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Sets file execution options in registry
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 23B265CE427FB9456D92CC01C77B1E4F
2⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1268

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding FC416A305084268BC21430C60084753A
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 6F622AE81436B3747997FA207D54D345 E Global\MSI0000
2⤵
- Sets file execution options in registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D5637CFECC090450BF1C1CF8D5725B06 E Global\MSI0000
2⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4548 -s 148
4⤵
- Program crash
PID:1868

C:\Windows\Installer\MSI85D4.tmp
"C:\Windows\Installer\MSI85D4.tmp" /b 2 120 0
2⤵
- Executes dropped EXE
PID:2380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" ClearToasts
2⤵
- Executes dropped EXE
PID:4776

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
"C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe" 22.002.20191 --SingleClientApp
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
--postMsg
3⤵
- Executes dropped EXE
PID:176

C:\Windows\Installer\MSIFA99.tmp
"C:\Windows\Installer\MSIFA99.tmp" {AC76BA86-1033-1033-7760-BC15014EA700} 1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\system32\msiexec.exe
msiexec.exe /i {AC76BA86-1033-1033-7760-BC15014EA700} REINSTALLMODE=omus REINSTALL=ALL IS_SEC_INSTALL=1 /qn
3⤵
PID:4680

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\Installer\MSIFA99.tmp"
3⤵
PID:1772

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B059717693AA7D52C1F66155E67EA2A6
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 95325E661C4CC3020C56430AEC964F29 E Global\MSI0000
2⤵
- Registers COM server for autorun
- Sets file execution options in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4F8B6C21477CE70ECCE3CEFBB873E1A8 E Global\MSI0000
2⤵
PID:1640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 4548 -ip 4548
1⤵
PID:3904

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4824

C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe
"C:\Program Files (x86)\McAfee Security Scan\4.0.135\McCHSvc.exe"
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
1⤵
- Executes dropped EXE
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\COMMON FILES\ADOBE\ACROBAT\SETUP\{AC76BA86-1033-1033-7760-BC15014EA700}\Abcpy.ini
Filesize
647B

MD5
6e90b40b81420d7c1c040f0a43c8be43

SHA1
0c6dd707c432cfcfb20817a149c597cb7c850e35

SHA256
63932f5fa0df2396731c0b3d4740b7fa985f932e9283f1c31e6f65e883bc6c1c

SHA512
fe077ec6892d5785cc183d71733fce877ff356b566b8cfc740ad4e3a77adfeb2a1c21e09cbf622015c95bd6cae7393b4a08620d20eea38b9a1c7c21b1d8db1ae

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroPro.msi
Filesize
11.1MB

MD5
2a08127cb509b3a8aeb4f5a495aeee02

SHA1
d1a1e2a8d72e017f23502d924d5d0607821648bf

SHA256
f86b86c5d41407ebbfff7632de74375e743784e4f88c1e74c1e24f64467aa7f6

SHA512
e1ae85aef2c979fe567888662ec5af4a64c2a75973eff7a18ad083356f5c01c5a8f1c68b3711a6a62ec5544d63ee978bc26698b47b066404450daac92a850248

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\AcroRdrDCx64Upd2200220191.msp
Filesize
269.5MB

MD5
315f2b694609fb15472f9b5732fe79f8

SHA1
ce27126b4e1d8fbf126acd4fb348e9e55b953232

SHA256
8b9036fc6403694c538e11021cffd9ccfcf7f689b78112cb0431e57360e8cb16

SHA512
bcaea0920ed294747e36f22b1ee22540fcdeb721fca150502eabb27f0b006edb0e459ab0bd08541adfc422b7ba122b27ab6f8d17d6cebcd02d0aa763510cbd87

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\Core.cab
Filesize
490.5MB

MD5
b80e8040e63617f75bc0e0720832d904

SHA1
851d2cd29f636637d4a96161904ddf83bd40fcc1

SHA256
f9355903a07c4e4174846e62c4d2419a61f4224c6396c76782af784920c0fa49

SHA512
f16c4de487ddaa7b9b66da789391046bd31092ec4c15bd95a807e5f22abe499a95a5d999c859769e4a9b6e342953119e69021888af95ab52b547560a4a4930b3

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Filesize
626KB

MD5
86b3fa97187d5d8679918c2dc4ed9641

SHA1
f8f614d9a3258cbc72d2695f3fca0c7c5dd5db5d

SHA256
aba0f84acceb95bfff3d176f1f57f78a379748e0a688b645548f8b678343d718

SHA512
da5a430f0cce0d55edf137c5aa0e79362beeb5d3da9383c9c129d6549fef6b3dd8fc013b2c01d6ec56c18c4c157748e450a5787951eff6085272e2e78102744f

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Filesize
626KB

MD5
86b3fa97187d5d8679918c2dc4ed9641

SHA1
f8f614d9a3258cbc72d2695f3fca0c7c5dd5db5d

SHA256
aba0f84acceb95bfff3d176f1f57f78a379748e0a688b645548f8b678343d718

SHA512
da5a430f0cce0d55edf137c5aa0e79362beeb5d3da9383c9c129d6549fef6b3dd8fc013b2c01d6ec56c18c4c157748e450a5787951eff6085272e2e78102744f

Download Submit
C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.ini
Filesize
369B

MD5
ce9bdcda61dccfa56c50d4f15d2dec93

SHA1
c0356df22f7a649dff6b7a07403bcbd716745748

SHA256
33d7eabd4a3375ee5459a5a5f0e2aa2b783a838dfbd137597db38c367e088ce4

SHA512
906525c51eac16ce705cb483109aea77a36832196dd1f3aeb4660fcd3cc7a5f52fc450d6137044e036d444b0571f3b818e101a3cd770775801cde742ecd5eca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize
471B

MD5
3375c6ee5a62f261c71f07002f0cb2f2

SHA1
26821dca1a0ca781ed6e54b32c7c997e381761f9

SHA256
755f246d717981c82a64ea286384c230bef5abacf25226f2d7b552335fcaf54e

SHA512
66e684a8dcd20892f00621b4a7809df1b0283b33546644399370adee0a0182d707c407e51787028142c86a2e8fd68ed2477d3ff681d2d17d2bb35b95b0823ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
Filesize
471B

MD5
9483cb7cbcc079750a8be2d65a83ba06

SHA1
4ffbac4b3c2ef12ea2ae251a4a87a6262b255d3e

SHA256
942b1169623abc59c45692503bb8269631cf0b5b8218b84a9ab9755190300a39

SHA512
b3c1a95490fe0ca3fa0ee12db34d3fcffaa277792471d1b3fa15100c9e520756be5eea7fbce453d69f9723a82faaec4a99649d20c3127f5855aaf663027406ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize
396B

MD5
fc31b425cd597b1c29d34abe1aafe550

SHA1
d99dd1152f21a2c6a67078c6d03b7be8472ff420

SHA256
06873fca7ff2b88d48ffd02c60545cd19f796aafbbd0c8b5a827a1c0717d5208

SHA512
c2998d6ab700ba5a5e98e6aff50426b56089018ced3599a320b0dfd9ac469021c92c63b559ddae98cc430ba9c5a02b8e78732add181dc62298446bde4b7d496a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_0CA0B6A0FC061704366CD7F8CEED0190
Filesize
420B

MD5
960ae439cb2ba8050bc0a106501be46b

SHA1
46291ebb0fab98022327189a22ae4ec640c70e64

SHA256
ab9f787c415d127d5c0e3e97bee3cf1b3aa2e7a4d2b2685e69640817b4262a0a

SHA512
128bde341b40c946382eac4254df794b11db5e1bbe626befb67dcaf272841e25b50307b4929273451f3139152f02fe3bda7112093aa4e63fb0c0d2dbfe82d875

Download Submit
C:\Users\Admin\AppData\Local\Adobe\421F1CD2-FF3C-418F-8CDD-AEB3D51F07C8\E9617D42-6985-460A-A162-6A227CA18183\3331D374-742A-4505-9E59-9EE3F6A06E3F
Filesize
304.3MB

MD5
65f227aab8cc59de3d4cf66d3be26336

SHA1
e9433ecedeb00f056d6d1ac85570055eb0ec85d3

SHA256
83822e5f53da908d9b558641244caa58a45df8d5cfc7d91ae1963f537ab2a5f8

SHA512
305dec58f943e0ee4435c947eb0f47c4f2181870c7adc2734ca74303876bf6808cb44452dfe5ce009ee2c17126e7bc623a10dff31f3f67ebaf44b8390ecd2ba7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\421F1CD2-FF3C-418F-8CDD-AEB3D51F07C8\E9617D42-6985-460A-A162-6A227CA18183\3331D374-742A-4505-9E59-9EE3F6A06E3F
Filesize
304.3MB

MD5
65f227aab8cc59de3d4cf66d3be26336

SHA1
e9433ecedeb00f056d6d1ac85570055eb0ec85d3

SHA256
83822e5f53da908d9b558641244caa58a45df8d5cfc7d91ae1963f537ab2a5f8

SHA512
305dec58f943e0ee4435c947eb0f47c4f2181870c7adc2734ca74303876bf6808cb44452dfe5ce009ee2c17126e7bc623a10dff31f3f67ebaf44b8390ecd2ba7

Download Submit
C:\Windows\Installer\MSI894B.tmp
Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit
C:\Windows\Installer\MSI894B.tmp
Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit
C:\Windows\Installer\MSI8BCC.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8BCC.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8C69.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8C69.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8C7A.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8C7A.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8CBA.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8CBA.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8CCA.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8CCA.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8D87.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSI8D87.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSI8E05.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI8E05.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI94FB.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI94FB.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI9569.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI9569.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSI956A.tmp
Filesize
476KB

MD5
3d12ce16d514aae51a33d6ab1246900a

SHA1
db461b94a6514c6471d9bd93efb61ee16a570e48

SHA256
bea39de9621393e7f88845820e878bfb843553f231f8eecc4b8248faa1060941

SHA512
3ee5b12af1623e04cba096a67f2c569d4b2b6af34fcdd153789ddea1b3d856754bf502c7770bb11e97bbe8cd6b76b4913220b2ce80371ff0772f3757e901a8d8

Download Submit
C:\Windows\Installer\MSI956A.tmp
Filesize
476KB

MD5
3d12ce16d514aae51a33d6ab1246900a

SHA1
db461b94a6514c6471d9bd93efb61ee16a570e48

SHA256
bea39de9621393e7f88845820e878bfb843553f231f8eecc4b8248faa1060941

SHA512
3ee5b12af1623e04cba096a67f2c569d4b2b6af34fcdd153789ddea1b3d856754bf502c7770bb11e97bbe8cd6b76b4913220b2ce80371ff0772f3757e901a8d8

Download Submit
C:\Windows\Installer\MSI95AA.tmp
Filesize
201KB

MD5
0d552389eb576bd568c6729d782a0fe5

SHA1
8b52986c6d52da0a4e57e8f2957f2e96bb69ce8f

SHA256
7b11f38a728b9abbc4732d65d5ef8552b6db0762e6c1ca86cf74f0dba4620d64

SHA512
7a1b07925e912ff0ff5d8eac75dcd83007eecc8e2b63e590389b745160929cc3ec0c973d2c9572c2bcbe22071c08c263d9c501ece3814a343ffbcf59f7214702

Download Submit
C:\Windows\Installer\MSI95AA.tmp
Filesize
201KB

MD5
0d552389eb576bd568c6729d782a0fe5

SHA1
8b52986c6d52da0a4e57e8f2957f2e96bb69ce8f

SHA256
7b11f38a728b9abbc4732d65d5ef8552b6db0762e6c1ca86cf74f0dba4620d64

SHA512
7a1b07925e912ff0ff5d8eac75dcd83007eecc8e2b63e590389b745160929cc3ec0c973d2c9572c2bcbe22071c08c263d9c501ece3814a343ffbcf59f7214702

Download Submit
C:\Windows\Installer\MSIA700.tmp
Filesize
140KB

MD5
c5d19778eb2d60a935fa6f3e27823f73

SHA1
f59b6a146d45bc8c94ca5823deb79a7617bdca15

SHA256
2802dcfa78f0b44a00b7def026afa2084bb72baa801c647664b9cc747a6bd08a

SHA512
73e2ffd90881b41383d6aa31b69040f21bdb33ffe052b119cc9f59986e05697f3e52889167f7dfe79aef03509b6cac8e558da6dc07491eceefa5266cbd00cb5b

Download Submit
C:\Windows\Installer\MSIA700.tmp
Filesize
140KB

MD5
c5d19778eb2d60a935fa6f3e27823f73

SHA1
f59b6a146d45bc8c94ca5823deb79a7617bdca15

SHA256
2802dcfa78f0b44a00b7def026afa2084bb72baa801c647664b9cc747a6bd08a

SHA512
73e2ffd90881b41383d6aa31b69040f21bdb33ffe052b119cc9f59986e05697f3e52889167f7dfe79aef03509b6cac8e558da6dc07491eceefa5266cbd00cb5b

Download Submit
C:\Windows\Installer\MSIA730.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
C:\Windows\Installer\MSIA730.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
C:\Windows\Installer\MSIA741.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
C:\Windows\Installer\MSIA741.tmp
Filesize
151KB

MD5
ad2b74452cc2ff7b68e8f28310d679d0

SHA1
d9f3c3d1d06303f34921eb508c64b15eb352d639

SHA256
ab3ce603b635fabfb0fdd563959df20632bfdfddf224e503a7a157ab7dc12cd4

SHA512
5de67d3f7ef3e4c381cd6d905da052265abb1fb55478faa9188ffe4b24627e5a87fb9bb7ac0c769091a364eecb51b4e7ce29ab71edcf8cd24dd2b0c70a840b04

Download Submit
C:\Windows\Installer\MSIA780.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
C:\Windows\Installer\MSIA780.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
C:\Windows\Installer\MSIA7A1.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
C:\Windows\Installer\MSIA7A1.tmp
Filesize
480KB

MD5
14c1cd91516fa7af6ad159fbb1a4237a

SHA1
6dbf2d6d9c2451575dd7b5e22d1ad1345b0f6f8c

SHA256
cba5254e9fe764677a8721e4d98b82af65485cf0e4ed2193f038acdf7dd59b33

SHA512
fb0747fbc614c855bff25562228742e3a0846516d109e59d2840ee55730c9dff0579b6fbe837b98ce4b64c601ffe36600c9250f6401f678d1182eed2abcd3997

Download Submit
C:\Windows\Installer\MSIA81F.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSIA81F.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSIA87D.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIA87D.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIA88E.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIA88E.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIA8AE.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIA8AE.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIA8CE.tmp
Filesize
138KB

MD5
6ffc030b7530a4f7310e10d0a5ea6491

SHA1
d2f737ed65569e1fe1d6db34021bf66f166f9061

SHA256
2a13e8afbb6807bd822a53ac51d4bb340d5e1b1e24eab783b035dc3d5342e4e4

SHA512
56e1255ee36689cdebd9dd5e162ff1007fd7b08193374d16b2e057d08f20b4811ae222478672850a268d2d60f71a014309d71076b90f86b4b6228bd65f3b2d72

Download Submit
C:\Windows\Installer\MSIA8CE.tmp
Filesize
138KB

MD5
6ffc030b7530a4f7310e10d0a5ea6491

SHA1
d2f737ed65569e1fe1d6db34021bf66f166f9061

SHA256
2a13e8afbb6807bd822a53ac51d4bb340d5e1b1e24eab783b035dc3d5342e4e4

SHA512
56e1255ee36689cdebd9dd5e162ff1007fd7b08193374d16b2e057d08f20b4811ae222478672850a268d2d60f71a014309d71076b90f86b4b6228bd65f3b2d72

Download Submit
C:\Windows\Installer\MSIAB50.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIAB50.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIAB90.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSIAB90.tmp
Filesize
509KB

MD5
7b96dadadfd37bbcf66e9c26b898dbec

SHA1
906040ff69237d1aa65919a682ca594a97ab763a

SHA256
d44ceefbbea456af2dc5aabbcad4e0bce2c3850cb1f49246cdccbfc7b57f86bc

SHA512
38a65eddd52c8cc41a41f7d861c58789a159d0a1dd6aba302d71733832561cd22316b3850b6b67b9af0095dbe3456bd6281205599dcf9c9aaaff6464b90a7b2b

Download Submit
C:\Windows\Installer\MSIABBF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
C:\Windows\Installer\MSIABBF.tmp
Filesize
608KB

MD5
0cdba6e40028086ce1ab392f30356cda

SHA1
2132aa31af28eb829c8b1f5d3baf5c894e580a1a

SHA256
108d1806d6c32e05aa824a692b419f033d66243ddd15e0749ac44ccf11645f62

SHA512
e9df33ef5163e6651d061d0baab7eb061388fb905d38365a00c3ca588aaaf982c5ef7c51c310017bd5fe7f065dad6b1dce43004a08e2e804441f1f6eec16a245

Download Submit
memory/176-233-0x0000000000000000-mapping.dmp

Download
memory/628-237-0x0000000000000000-mapping.dmp

Download
memory/628-239-0x0000021991060000-0x00000219910DD000-memory.dmp

Filesize
500KB

Download
memory/876-238-0x0000000000000000-mapping.dmp

Download
memory/1268-148-0x0000000000000000-mapping.dmp

Download
memory/1516-132-0x0000000000A30000-0x0000000000E67000-memory.dmp

Filesize
4.2MB

Download
memory/1516-134-0x0000000000A30000-0x0000000000E67000-memory.dmp

Filesize
4.2MB

Download
memory/1516-133-0x0000000000EB0000-0x0000000000EB3000-memory.dmp

Filesize
12KB

Download
memory/1640-247-0x0000000000000000-mapping.dmp

Download
memory/1772-236-0x0000000000000000-mapping.dmp

Download
memory/2240-245-0x000001A1A22B0000-0x000001A1A234B000-memory.dmp

Filesize
620KB

Download
memory/2240-243-0x000001A1A2200000-0x000001A1A2235000-memory.dmp

Filesize
212KB

Download
memory/2240-241-0x0000000000000000-mapping.dmp

Download
memory/2240-244-0x000001A1A2240000-0x000001A1A2275000-memory.dmp

Filesize
212KB

Download
memory/2320-138-0x0000000000000000-mapping.dmp

Download
memory/2380-229-0x0000000000000000-mapping.dmp

Download
memory/2884-240-0x0000000000000000-mapping.dmp

Download
memory/3336-228-0x0000000000000000-mapping.dmp

Download
memory/3432-135-0x0000000000000000-mapping.dmp

Download
memory/3580-202-0x000001D3FA5F0000-0x000001D3FA68B000-memory.dmp

Filesize
620KB

Download
memory/3580-151-0x0000000000000000-mapping.dmp

Download
memory/3776-234-0x0000000000000000-mapping.dmp

Download
memory/4548-231-0x0000000000000000-mapping.dmp

Download
memory/4640-216-0x000001AEF74E1000-0x000001AEF7543000-memory.dmp

Filesize
392KB

Download
memory/4640-209-0x000001AEF74F1000-0x000001AEF7511000-memory.dmp

Filesize
128KB

Download
memory/4640-204-0x0000000000000000-mapping.dmp

Download
memory/4640-223-0x000001AEF74E1000-0x000001AEF7543000-memory.dmp

Filesize
392KB

Download
memory/4640-222-0x000001AEF74E1000-0x000001AEF7543000-memory.dmp

Filesize
392KB

Download
memory/4640-217-0x000001AEF74E1000-0x000001AEF7543000-memory.dmp

Filesize
392KB

Download
memory/4640-205-0x000001AEF74A0000-0x000001AEF74D5000-memory.dmp

Filesize
212KB

Download
memory/4640-206-0x000001AEF74F0000-0x000001AEF7525000-memory.dmp

Filesize
212KB

Download
memory/4640-208-0x000001AEF74F1000-0x000001AEF7511000-memory.dmp

Filesize
128KB

Download
memory/4640-210-0x000001AEF74E0000-0x000001AEF757B000-memory.dmp

Filesize
620KB

Download
memory/4680-235-0x0000000000000000-mapping.dmp

Download
memory/4776-230-0x0000000000000000-mapping.dmp

Download
memory/4996-232-0x0000000000000000-mapping.dmp

Download
memory/5044-242-0x0000000000000000-mapping.dmp

Download