107098cfeb62a8ed4424ebf0f03d750431bd002ec9b7f94b94472564e015bcec

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer_Win8_Win11_x64_24c29276a3b22.exe
Size

89.3MB
MD5

b1479314543562cb059c65d64321b472
SHA1

fe54cd405a6be981eb925ad4f20ebcebaa7f7bb4
SHA256

107098cfeb62a8ed4424ebf0f03d750431bd002ec9b7f94b94472564e015bcec
SHA512

69f95405c267327fa3852fc1de145782552d07a5a02f76279aad9fb8f9e94ac96fcbb493e3ea8af398393a79a0b457008ffb8dfd4e56a5b2f35a42a81fdbdc6a
SSDEEP

1572864:pUXfXzK11PZrm7q4o+Ahfo5YcLzb1aWBA+HKf4RamooEvMA/fxlN0+MqJQIxRH2X:pUXfDU1ht4PAhZcXxdW+qf4Ko7w/0+kf

Score

10^/10

discovery persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Comodo Antivirus	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Comodo Antivirus\ = "{4255A182-CAD9-4214-A19B-7BA7FB633BBD}"	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2200	msiexec.exe
16	2200	msiexec.exe
33	2200	msiexec.exe
37	2200	msiexec.exe

Drops file in Drivers directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\ceserd.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\cesguard.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\ceskbdflt.sys	msiexec.exe
File created	C:\Windows\system32\DRIVERS\SETDBF9.tmp	cfpconfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\cesguard.sys	cfpconfg.exe
File opened for modification	C:\Windows\system32\drivers\ceserd.sys	cfpconfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETE0AD.tmp	cfpconfg.exe
File created	C:\Windows\system32\Drivers\cesfw.sys	msiexec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDBC9.tmp	cfpconfg.exe
File created	C:\Windows\system32\DRIVERS\SETDBC9.tmp	cfpconfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDBF9.tmp	cfpconfg.exe
File created	C:\Windows\system32\Drivers\ceshlp.sys	msiexec.exe
File opened for modification	C:\Windows\system32\DRIVERS\ceserd.sys	cfpconfg.exe
File created	C:\Windows\system32\drivers\cesboot.sys	cfpconfg.exe
File created	C:\Windows\system32\DRIVERS\SETE0AD.tmp	cfpconfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\ceskbdflt.sys	cfpconfg.exe

Executes dropped EXE 10 IoCs

pid	Process
4540	offlineinstaller.exe
3528	MSI20BD.tmp
3216	MSI20BD.tmp
5028	cfpconfg.exe
2252	cisbf.exe
4652	cmdagent.exe
4012	cmdprots.exe
2440	cmdicap.exe
4156	cavwp.exe
4472	python_x86_Lib.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BBB01528-20FE-4bc2-9D26-C70E3ABB9CD1}\LocalServer32	cmdagent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{868A55F7-D79E-4C2E-8091-DEA9042B987F}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE4DEE24-6CFC-48DF-89C4-29BD4954B895}\InProcServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cavwpps.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2144259E-4C78-498D-A7D1-A1596E3AD5A2}\InProcServer32\ThreadingModel = "Both"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4255A182-CAD9-4214-A19B-7BA7FB633BBD}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7D729A7-3570-4902-944A-470C9919FCCB}\InProcServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF101135-6584-46e7-8AA1-8FCD1FCA5042}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31A70E75-5CD1-44D4-A9E4-10650F15B1C2}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	cmdagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{10F58851-4358-4E4B-8494-DF34393F41A5}\LOCALSERVER32	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE4DEE24-6CFC-48DF-89C4-29BD4954B895}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE4DEE24-6CFC-48DF-89C4-29BD4954B895}\InProcServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cavwpps.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31A70E75-5CD1-44D4-A9E4-10650F15B1C2}\LocalServer32	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D33F09-D11A-485D-AB08-8BFF862E7120}\LocalServer32	cisbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D33F09-D11A-485D-AB08-8BFF862E7120}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cisbf.exe\""	cisbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}\InProcServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdcomps.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31A70E75-5CD1-44D4-A9E4-10650F15B1C2}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9F70CAE4-E872-43DA-917C-71C02CCE2035}\LOCALSERVER32	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10F58851-4358-4E4B-8494-DF34393F41A5}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED181758-F11B-4C85-AEA2-199B3DC9F7DE}\InprocServer32\ThreadingModel = "Free"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F70CAE4-E872-43DA-917C-71C02CCE2035}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F70CAE4-E872-43DA-917C-71C02CCE2035}\LocalServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{05E5F178-256F-42EE-9BF4-A7E080F7B354}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{868A55F7-D79E-4C2E-8091-DEA9042B987F}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cavwp.exe\" /ModeAvSigChecker"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF101135-6584-46e7-8AA1-8FCD1FCA5042}\LocalServer32	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4255A182-CAD9-4214-A19B-7BA7FB633BBD}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67683718-82B8-4557-86A8-E04D169EF883}\InProcServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cisbfps.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31A70E75-5CD1-44D4-A9E4-10650F15B1C2}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81B0EDF3-1CAB-4B8A-BD36-C4DEFAC1DCF9}\LocalServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF101135-6584-46E7-8AA1-8FCD1FCA5042}\LocalServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D33F09-D11A-485D-AB08-8BFF862E7120}\LocalServer32\ServerExecutable = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cisbf.exe"	cisbf.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2144259E-4C78-498D-A7D1-A1596E3AD5A2}\InProcServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7D729A7-3570-4902-944A-470C9919FCCB}\InProcServer32\ThreadingModel = "Both"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}\InProcServer32\ThreadingModel = "Both"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF101135-6584-46E7-8AA1-8FCD1FCA5042}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10F58851-4358-4E4B-8494-DF34393F41A5}\LocalServer32\ThreadingModel = "Both"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{FF101135-6584-46E7-8AA1-8FCD1FCA5042}\LOCALSERVER32	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C288AC5A-D846-4696-8028-2DF6F508D0D9}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81B0EDF3-1CAB-4B8A-BD36-C4DEFAC1DCF9}\LocalServer32	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE4DEE24-6CFC-48DF-89C4-29BD4954B895}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C288AC5A-D846-4696-8028-2DF6F508D0D9}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE4DEE24-6CFC-48DF-89C4-29BD4954B895}\InProcServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED181758-F11B-4C85-AEA2-199B3DC9F7DE}\InprocServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cisresc.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C288AC5A-D846-4696-8028-2DF6F508D0D9}\LocalServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A1850D95-9C38-4D86-AC40-E559BC0E73C9}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C288AC5A-D846-4696-8028-2DF6F508D0D9}\LocalServer32	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F70CAE4-E872-43DA-917C-71C02CCE2035}\LocalServer32	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4255A182-CAD9-4214-A19B-7BA7FB633BBD}\InprocServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cavshell.dll"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4255A182-CAD9-4214-A19B-7BA7FB633BBD}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7D729A7-3570-4902-944A-470C9919FCCB}\InProcServer32\ = "C:\\Program Files\\COMODO\\COMODO Internet Security\\cisresc.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{81B0EDF3-1CAB-4B8A-BD36-C4DEFAC1DCF9}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}\InProcServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E0E9D49D-65D1-4AB1-8235-DF90B6ED8483}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E8718E3A-1985-473C-9196-9A39AFB0028E}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B691E6DB-B216-4532-A2F3-1656BAC416FC}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{67683718-82B8-4557-86A8-E04D169EF883}\InProcServer32\ThreadingModel = "Both"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05E5F178-256F-42EE-9BF4-A7E080F7B354}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cavwp.exe\" /ModeAvScanner"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C288AC5A-D846-4696-8028-2DF6F508D0D9}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8718E3A-1985-473C-9196-9A39AFB0028E}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cavwp.exe\" /ModeAvMerger"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C288AC5A-D846-4696-8028-2DF6F508D0D9}\LOCALSERVER32	cmdagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{31A70E75-5CD1-44D4-A9E4-10650F15B1C2}\LOCALSERVER32	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED181758-F11B-4C85-AEA2-199B3DC9F7DE}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81B0EDF3-1CAB-4B8A-BD36-C4DEFAC1DCF9}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81B0EDF3-1CAB-4B8A-BD36-C4DEFAC1DCF9}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe\""	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10F58851-4358-4E4B-8494-DF34393F41A5}\LocalServer32	cmdagent.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ceserd\ImagePath = "System32\\DRIVERS\\ceserd.sys"	cfpconfg.exe

Loads dropped DLL 56 IoCs

pid	Process
5068	MsiExec.exe
5068	MsiExec.exe
5068	MsiExec.exe
4224	MsiExec.exe
4224	MsiExec.exe
4224	MsiExec.exe
4224	MsiExec.exe
4224	MsiExec.exe
4224	MsiExec.exe
5028	cfpconfg.exe
4652	cmdagent.exe
4652	cmdagent.exe
1984	regsvr32.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4652	cmdagent.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4156	cavwp.exe
4224	MsiExec.exe
4224	MsiExec.exe
3636	MsiExec.exe
4028	MsiExec.exe
3160	MsiExec.exe
4460	MsiExec.exe
4460	MsiExec.exe
952	MsiExec.exe
3204	MsiExec.exe
1976	MsiExec.exe
1664	MsiExec.exe
4224	MsiExec.exe
4224	MsiExec.exe
3868	MsiExec.exe
3868	MsiExec.exe
3868	MsiExec.exe
3868	MsiExec.exe
4868	MsiExec.exe
4868	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cfpconfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cis.exe\" --cistrayUI"	cfpconfg.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Timestamp.{AF858DA4-6F8E-4298-84E2-AB5DBB7741DB} = "1673385953"	cfpconfg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CmdProts\_Trace_Enabled_To_File	cmdprots.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Timestamp.{ABB45338-2428-46D5-BCA1-F907810012C7} = "1673385958"	cmdagent.exe
Key security queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	msiexec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData\RebootWaitingComponents	cmdagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CmdProts\_Trace_Enabled = "1"	cfpconfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CIS\_Trace_Enabled = "1"	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\UpdateBin.{A6D52E4F-569B-4756-B3D8-DF217313DA85}	cmdagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\AllowedDowngrade = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Timestamp.{1AB2EC41-A04B-45CB-84CB-11BA5EBA283D} = "1673385964"	cmdagent.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Proxy\AllowSkip	cmdagent.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\ChannelID	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CavWp\_Trace_Category_Override	cavwp.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Langs.cmdres	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\CmcHost = "cmc.comodo.com"	msiexec.exe
Key security queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Proxy\ProxyAuthLogin	cfpconfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CfpConfg\_Trace_Level = "2"	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\CreatorTrackingExcludePaths	cmdagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\InstallEndTimestamp = "133178595641260000"	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Scan.{F140D794-60B6-4F00-9235-D6457AA25B22}	cmdagent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UsageStatHost	msiexec.exe
Key security queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CavWp	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UpdateURLS	cfpconfg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UpdateURL = "https://download.comodo.com/"	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Timestamp.{0E9B65E7-29F3-4520-A8EC-2DDEF68A1170}	cmdagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Silent diag support = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Timestamp.{6AA9E24E-269F-4675-AE6A-67DF4BEE0E9E} = "1673385954"	cfpconfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Proxy\AllowSkip = "0"	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UpdateURLS = 680074007400700073003a002f002f0064006f0077006e006c006f00610064002e0063006f006d006f0064006f002e0063006f006d002f00000068007400740070003a002f002f0064006f0077006e006c006f00610064002e0063006f006d006f0064006f002e0063006f006d002f0000000000	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CmdProts\_Trace_Enabled_To_WinLog	cmdprots.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\AllowedDowngrade	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CavWp\_Trace_Enabled_To_WinLog = "1"	cfpconfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CavWp\_Trace_Level = "2"	cfpconfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\MsiProductCode = "{A5001C53-6E10-4BE1-BA52-D7B364531FB9}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\Timestamp.{1AB2EC41-A04B-45CB-84CB-11BA5EBA283D} = "1673385953"	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CavWp\_Trace_Enabled_To_WinLog	cavwp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\VolumeUsns = b608bed400000000089e301400000000	cmdagent.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\EsmPortForEsmSetup = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\CfpConfg\_Trace_Enabled_To_WinLog = "1"	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	cfpconfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UserEmail	msiexec.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	cfpconfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Shared Space\link2 = "C:\\Users\\Default\\Links\\Shared Space.lnk"	cfpconfg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Proxy	cfpconfg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\HandledDevices	cmdagent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UsageStatHost	cfpconfg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\Proxy\ProxyAuthRequired = "0"	cfpconfg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\IsLmdbCorrupted.cmddata	cmdagent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data\AvRealtimeReincarnateMonitor	cmdagent.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\DbgTrace\MsiExec	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData\PendingRebootAfterInstall = "1"	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\ProgramData\Shared Space\Desktop.ini	cfpconfg.exe
File opened for modification	C:\ProgramData\Shared Space\Desktop.ini	cfpconfg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	MsiExec.exe
File opened (read-only)	\??\O:	cmdagent.exe
File opened (read-only)	\??\M:	cfpconfg.exe
File opened (read-only)	\??\P:	cmdagent.exe
File opened (read-only)	\??\A:	MsiExec.exe
File opened (read-only)	\??\G:	MsiExec.exe
File opened (read-only)	\??\L:	MsiExec.exe
File opened (read-only)	\??\S:	MsiExec.exe
File opened (read-only)	\??\U:	cmdprots.exe
File opened (read-only)	\??\E:	cfpconfg.exe
File opened (read-only)	\??\O:	cmdprots.exe
File opened (read-only)	\??\S:	cfpconfg.exe
File opened (read-only)	\??\G:	MsiExec.exe
File opened (read-only)	\??\N:	MsiExec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	MsiExec.exe
File opened (read-only)	\??\Z:	cmdprots.exe
File opened (read-only)	\??\F:	MsiExec.exe
File opened (read-only)	\??\A:	cmdagent.exe
File opened (read-only)	\??\O:	MsiExec.exe
File opened (read-only)	\??\B:	MsiExec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	cmdagent.exe
File opened (read-only)	\??\B:	MsiExec.exe
File opened (read-only)	\??\T:	MsiExec.exe
File opened (read-only)	\??\S:	cavwp.exe
File opened (read-only)	\??\Y:	cavwp.exe
File opened (read-only)	\??\O:	MsiExec.exe
File opened (read-only)	\??\G:	cmdprots.exe
File opened (read-only)	\??\P:	MsiExec.exe
File opened (read-only)	\??\A:	MsiExec.exe
File opened (read-only)	\??\W:	MsiExec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	cmdagent.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	cmdagent.exe
File opened (read-only)	\??\W:	MsiExec.exe
File opened (read-only)	\??\M:	cavwp.exe
File opened (read-only)	\??\Z:	MsiExec.exe
File opened (read-only)	\??\K:	MsiExec.exe
File opened (read-only)	\??\S:	MsiExec.exe
File opened (read-only)	\??\K:	cmdagent.exe
File opened (read-only)	\??\S:	MsiExec.exe
File opened (read-only)	\??\M:	MsiExec.exe
File opened (read-only)	\??\G:	MsiExec.exe
File opened (read-only)	\??\X:	MsiExec.exe
File opened (read-only)	\??\K:	cfpconfg.exe
File opened (read-only)	\??\B:	MsiExec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	cmdprots.exe
File opened (read-only)	\??\H:	MsiExec.exe
File opened (read-only)	\??\I:	MsiExec.exe
File opened (read-only)	\??\E:	MsiExec.exe
File opened (read-only)	\??\N:	cmdprots.exe
File opened (read-only)	\??\S:	cmdprots.exe
File opened (read-only)	\??\H:	MsiExec.exe
File opened (read-only)	\??\Y:	MsiExec.exe
File opened (read-only)	\??\Y:	MsiExec.exe
File opened (read-only)	\??\P:	cfpconfg.exe
File opened (read-only)	\??\X:	cmdagent.exe
File opened (read-only)	\??\Y:	cmdagent.exe
File opened (read-only)	\??\T:	MsiExec.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\guard64.dll	msiexec.exe
File created	C:\Windows\System32\cmdIcapCes.log	cmdagent.exe
File created	C:\Windows\System32\cmdIcap.log	cmdicap.exe
File created	C:\Windows\system32\cmdcsr.dll	msiexec.exe
File created	C:\Windows\SysWOW64\cmdvrt32.dll	msiexec.exe
File created	C:\Windows\system32\cmdvrt64.dll	msiexec.exe
File created	C:\Windows\SysWOW64\guard32.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1049.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.ukrainian.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\themes\default.set	msiexec.exe
File opened for modification	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\cesboot.sys	cfpconfg.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x64.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\ceskbdflt.sys	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\signmgr.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.danish.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cfpver.dat	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cmdres.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\CmdWRHlp.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\enrollment_config.ini	offlineinstaller.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\scanners\extra.cav	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x86-PipelineConfig.xml	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\webrtc-plugin.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\scanners\pkann.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\cesboot.sys	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.romanian.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\scanners\bases.cav	msiexec.exe
File opened for modification	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\ceskbdflt.sys	cfpconfg.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.bulgarian.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1030.lang	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\RCore.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_pdf_x64-PipelineConfig.xml	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\scanners\scrtemu.cav	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\ceskbdflt.cat	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1025.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1029.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1058.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1065.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.german.lang	msiexec.exe
File opened for modification	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\ceserd.sys	cfpconfg.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\resources\web-rule-block.html	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.russian.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cisevlog.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cmdicap.exe	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Gui.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\CatUninstaller.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\scanners\fileid.cav	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\ComodoInstaller.english.lang.template	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.turkish.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cmdhtml.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1038.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\AmsiProvider_x64.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\imageformats\qico.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Sql.dll	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\scanners\smart.cav	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\cesboot.cat	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\ceserd.sys	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1046.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\recognizer.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\RDesktop.exe	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\resources\block.html	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\ceshlp.inf	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1053.lang	msiexec.exe
File created	C:\Program Files\COMODO\COMODO Internet Security\translations\1066.lang	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\virtualprinter\rcvirtualprintdriver.cat	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e568f54.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F46.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e568f58.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B5E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA42C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FF0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e568f59.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A92.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{57155263-B788-4E1A-B6FE-797111BAD83D}	msiexec.exe
File opened for modification	C:\Windows\Installer\e568f54.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C05.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI351.tmp	msiexec.exe
File created	C:\Windows\Installer\e568f58.msi	msiexec.exe
File created	C:\Windows\Installer\e568f59.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C15.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A5001C53-6E10-4BE1-BA52-D7B364531FB9}	msiexec.exe
File created	C:\Windows\ELAMBKUP\cesboot.sys	cfpconfg.exe
File opened for modification	C:\Windows\Installer\MSI9D24.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B7D.tmp	msiexec.exe
File created	C:\Windows\Installer\{A5001C53-6E10-4BE1-BA52-D7B364531FB9}\cis.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{A5001C53-6E10-4BE1-BA52-D7B364531FB9}\cis.ico	msiexec.exe
File created	C:\Windows\Installer\e568f57.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	cmdagent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	cmdagent.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	cmdagent.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cmdagent.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	cmdprots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	cmdprots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	cmdprots.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	cfpconfg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	cmdagent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cmdagent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	cmdprots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	cmdprots.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cmdagent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	cmdagent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	cmdprots.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	cmdprots.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7D729A7-3570-4902-944A-470C9919FCCB}\InProcServer32\ThreadingModel = "Both"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50DA6ACB-C994-401B-AD1E-F8DE19915F1B}\ProxyStubClsid32\ = "{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CavWp.AvScanner.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15533C57-941F-44DD-A64D-869868F43471}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE0BD328-5CE6-4B54-857B-890CC3780831}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9B1A6B4-EF47-4BB6-9EFA-B3F33CFD548E}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4255A182-CAD9-4214-A19B-7BA7FB633BBD}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C080A3F-A265-4D00-BDB5-C1AF90146ED1}\NumMethods	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58B7FD79-DDB1-4CB9-8C2D-38D2A6F884B4}\NumMethods\ = "6"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31A70E75-5CD1-44D4-A9E4-10650F15B1C2}	cmdagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E90F3126-F2A7-4904-A6E8-4B59B1CE27BC}\NumMethods\ = "24"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9FA9C33-D7A0-49C8-8D35-B5B0B26E45E3}\ = "ICisJobUpdating"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA2BDA77-6460-46F7-8B4B-9138C47F1428}\ = "ICisAlertNetwork"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE021FFD-4E99-43C9-B11D-EC9FDE5691CF}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED181758-F11B-4C85-AEA2-199B3DC9F7DE}\InprocServer32\ThreadingModel = "Free"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CavWp.AvMonitor\CLSID\ = "{E0E9D49D-65D1-4AB1-8235-DF90B6ED8483}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8642C481-BB1A-427D-A661-281D34BEACBF}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4655A35C-D0A0-47F1-AED3-DE7AAF397EDF}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15FD4539-C2F5-4F46-B142-902BC37EC2E0}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28342371-2B04-446C-A68B-130B4771A1F1}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{632E9EEE-F431-4C89-A18B-9959BCFF676B}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE4DEE24-6CFC-48DF-89C4-29BD4954B895}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95A87DED-690E-4A15-89B4-A8825E14BFFF}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6686FBD5-734B-44FA-9B3E-02C522299E59}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F77629CE-1CA1-4F50-98E8-816F9C4BAB71}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF101135-6584-46E7-8AA1-8FCD1FCA5042}\ = "CisRmControl Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5E3A461-651E-4E3F-95A1-B765749C52CA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F70CAE4-E872-43DA-917C-71C02CCE2035}\ = "CisExplorer class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF95F716-AEF2-4AA2-907C-9DCFC40CBBC2}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87A70D46-5288-41FC-9E9D-8D4A5463C40C}\NumMethods\ = "40"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41364AD5-078D-4296-95A4-A24239FFA463}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7D729A7-3570-4902-944A-470C9919FCCB}\ = "PSFactoryBuffer"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28342371-2B04-446C-A68B-130B4771A1F1}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10F58851-4358-4E4B-8494-DF34393F41A5}\VersionIndependentProgID\ = "CIS.CisWmiProvider"	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6EBC129-535C-497C-AA55-59A712EF0C34}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E883AD09-244C-4529-B1A8-E629A6D790BD}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA5CCBBA-DC09-42C1-81CC-41DCCC7D0EE3}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51461081-2DF8-40D5-9CEC-D9DC1CBDD25B}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFA6CCA1-8A26-4298-BE03-252C8B573534}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B5608A0-980A-4C2E-AC0A-5D84893206BA}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0351C53B-E95A-4F02-A89B-1FC580B47518}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0145B8-32F6-4E87-BE4F-A89C51618E5B}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05DF1A19-F496-489A-B985-F2E321793628}\ProxyStubClsid32\ = "{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65EF8954-B297-48DE-9575-23EE360A4E1D}\ = "IViruscopeActivityDeleteRegKey"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65EF8954-B297-48DE-9575-23EE360A4E1D}\NumMethods	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{342A9490-7F70-4AE6-B553-9BA04288F8F6}\LocalService = "cmdAgent"	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2FCAA56-082E-4CB5-AC35-8EA86764D274}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3539C559-2626-40CC-97BF-CD9715CB84B4}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E90F3126-F2A7-4904-A6E8-4B59B1CE27BC}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B292449-6BD9-4B80-B921-2D51601A46FF}\NumMethods\ = "97"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2FCAA56-082E-4CB5-AC35-8EA86764D274}\NumMethods\ = "24"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0145B8-32F6-4E87-BE4F-A89C51618E5B}\NumMethods	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF085DFB-E64E-4483-B244-B97AEE78A41B}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6611B9CE-5211-44EA-B74E-9FEBFE6352A7}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5D74D66-055E-41DC-A239-995701539D11}\ProxyStubClsid32\ = "{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D33F09-D11A-485D-AB08-8BFF862E7120}\LocalServer32\ = "\"C:\\Program Files\\COMODO\\COMODO Internet Security\\cisbf.exe\""	cisbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1826C627-0ABD-4660-9947-D5817D3153F0}\ProxyStubClsid32\ = "{9F2D4924-C5F4-43B6-A4AB-C4161C4C2879}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC07AE87-D195-4101-BAAC-33A74C731E83}\ = "ISvcUrlFiltering"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFA6CCA1-8A26-4298-BE03-252C8B573534}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96D27592-5FAA-4B65-AE65-C41AA290ABCD}\1.0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90EC0BDD-7FC9-47C1-ACE3-C3B2B9A8282F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10D82495-7F93-4C84-901A-65A9E1DED8EB}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D527883B-2900-48B0-90B7-BD8B0209F289}\ProxyStubClsid32	MsiExec.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\98D9D6CB8497105298536D86E468DD0323DCF318	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\272CCBC264497707D8DBAEF39868F500CD26BCF4\Blob = 030000000100000014000000272ccbc264497707d8dbaef39868f500cd26bcf420000000010000008d0500003082058930820471a00302010202104a708f805e46e4a95ec561404df11189300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3132303232393030303030305a170d3133303330333233353935395a3081cc310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931283026060355040a141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312830260603550403141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb75d6a03819b826e841a62bf9dfb81997d8710b4dd05ee4419b27ed8ae5c09796c84801e7eb3af986e43d8bee487d2f0b2a1c86c01564615ede2a366975407e3c6c86fdc460a3c0f130f583888911df7e529d15e2040897cc3c50fca0efccbcb91c8a59b704f7fa48aea6f3cf0726201a65ebe2bfe5dda03ab947bafc82d8318752bdb09b29fec492a876e511c352a44935b7499c99f384d2672496884c42ddc0230354f1040df837f5e1dc3d7a510a3e1a6ad33546a9e655268ad6df7087b987dd8111798110a7080461fb031e3716e383beee54a0d182fa004e982b11e18a56b2d93f5577c69574105af141981e0466a75996ecc44705dc254ff0bb4fe9b50203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100606a05f3b174504f923fcc5b4d89643109a2202ec9cd8f1dd8facc1b092b4edcc997e3ec03f8e50eee82b92ebf3e4a2b934dc8c0250307e6cba460ef0b9d57067fea51542488289c721a6031cf4b9a71c65bf200ecb2409ebca5be1f1cc2bf4956f94f6d0614a0ffc076c8f7919807eecbdafa6400d41c45b28c2c72afc86e8a522b5a2c8adfd0a38abdadb8d08b4bec6c25d64540d39caebb6b68716bbe1c2570e92ecab27cc670ce025b7cc21f12a8c1645183710ae2dc2fe385f24ba1a79e122571a64de3afa4c3e8bd9071151d74e0305d4f4e12f86041be1df530d21a00ecad9be7968e99c5f4d4079dc2092375810ebebd5e54e2191ed42a142384951f	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\6CD253D636A7B4D0E0981431BC064061A9853ED9	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F89A37FB24B0417D93BFB760B12121F5A358F9D9	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E73C45BE88C6FBE7562D8B9D1B7E4FE03E29811D	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E73C45BE88C6FBE7562D8B9D1B7E4FE03E29811D	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E73C45BE88C6FBE7562D8B9D1B7E4FE03E29811D\Blob = 0f000000010000001400000059ca050be20779c74b6dd1634db95e0d7ac8e6d5030000000100000014000000e73c45be88c6fbe7562d8b9d1b7e4fe03e29811d200000000100000068050000308205643082044ca003020102021039f51ff05883bd411616bfa62c1c74ef300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3134303430313030303030305a170d3135303430313233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100efe97b1f62481eb08572c14dac7faf5de0544ca4e0b636be10f09f0481ec5f08176888bc5da73ccf1debfba8d16449ad4ca6f017d01cdb3b41ff05b193438132cf6b7c6b90e35289c67281f9cb59d25cf067d17cf3f325384aa1e4f066a193559119faaf864cb6998d5f12109c938c6fe76af32817a3cd004e87fd0d055439886eb41734f78c1e9059dc7de0a2e4839b83441e7b5cd2c2e90628aeb7803567b321950f564557d13ede1519afb734e6bb4d6c1bddf59070342b7f478dd5efc6efb488c1dc1e8acb86fe60fc433070c560e76c30bd74661f1ff91cafb763c8fd32c041752d01fd0df035fb57ef7f4d7117fe4377e9a382540142fdd2441d00f1f70203010001a38201a33082019f301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604147835e6598d5572201de9a55f8a527b1e51ff37b7300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30180603551d110411300f810d636140636f6d6f646f2e636f6d300d06092a864886f70d0101050500038201010039881a7fb87fae796492551ea2dc77b2a01f17e98a2a584ac9f72d0e8f2740f777dba416b35bc88cf30b4b8b05009892ab13e0c4fc7cbe9a177bffea416446d39b6cf91f65967d23f907549ff56a424b307a9a9c48eacd8b9cba65be4ca3d92baf5958dd58c6e41cc35699a17e899a7a8d6df61c2149c629af40638d02613298d112c3597122ae120dec12f2537d585ed9525f4b64926903fba082a7c0f1f04517477a17ab5ed1f9ec2bc7e7154ad0c1822952de2d1cd7ad2cf3929d67a8b491f9401339ca7bcc3d81ee5b93b5a6c5a4bbad53cbae560cfb54fb39ab932d32280a25cbcd9850b68ab6361b04fa2a2ec9b09c5cc8842b832f72e4e919fdcaf5e1	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\272CCBC264497707D8DBAEF39868F500CD26BCF4	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8D170F91DE1907BF03CD9F1DEBFEF61E3D3670CC	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5F8EEAC5A0127025E936C01493D1C11D5012BA4	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E73C45BE88C6FBE7562D8B9D1B7E4FE03E29811D\Blob = 030000000100000014000000e73c45be88c6fbe7562d8b9d1b7e4fe03e29811d200000000100000068050000308205643082044ca003020102021039f51ff05883bd411616bfa62c1c74ef300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3134303430313030303030305a170d3135303430313233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100efe97b1f62481eb08572c14dac7faf5de0544ca4e0b636be10f09f0481ec5f08176888bc5da73ccf1debfba8d16449ad4ca6f017d01cdb3b41ff05b193438132cf6b7c6b90e35289c67281f9cb59d25cf067d17cf3f325384aa1e4f066a193559119faaf864cb6998d5f12109c938c6fe76af32817a3cd004e87fd0d055439886eb41734f78c1e9059dc7de0a2e4839b83441e7b5cd2c2e90628aeb7803567b321950f564557d13ede1519afb734e6bb4d6c1bddf59070342b7f478dd5efc6efb488c1dc1e8acb86fe60fc433070c560e76c30bd74661f1ff91cafb763c8fd32c041752d01fd0df035fb57ef7f4d7117fe4377e9a382540142fdd2441d00f1f70203010001a38201a33082019f301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604147835e6598d5572201de9a55f8a527b1e51ff37b7300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30180603551d110411300f810d636140636f6d6f646f2e636f6d300d06092a864886f70d0101050500038201010039881a7fb87fae796492551ea2dc77b2a01f17e98a2a584ac9f72d0e8f2740f777dba416b35bc88cf30b4b8b05009892ab13e0c4fc7cbe9a177bffea416446d39b6cf91f65967d23f907549ff56a424b307a9a9c48eacd8b9cba65be4ca3d92baf5958dd58c6e41cc35699a17e899a7a8d6df61c2149c629af40638d02613298d112c3597122ae120dec12f2537d585ed9525f4b64926903fba082a7c0f1f04517477a17ab5ed1f9ec2bc7e7154ad0c1822952de2d1cd7ad2cf3929d67a8b491f9401339ca7bcc3d81ee5b93b5a6c5a4bbad53cbae560cfb54fb39ab932d32280a25cbcd9850b68ab6361b04fa2a2ec9b09c5cc8842b832f72e4e919fdcaf5e1	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3F14CDC50FA95DFA78F9488E6A96FF0B4011F460	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D70D7D00CA12E1B3E20F3BF7534DEB2C2E7C2404	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec180f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb419000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\76FBABF1EADED3B91DD7A76A6678301F1F87AA97\Blob = 03000000010000001400000076fbabf1eaded3b91dd7a76a6678301f1f87aa9720000000010000005a050000308205563082043ea003020102021100c5144cf5e535f748a9afa6fc384c0775300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3138303130343030303030305a170d3139303130343233353935395a3081c4310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100e7cbaab2f00e8651180214f1ed65f1eb65ecd2f22b19bdc1d1d2c868f9e0e39acce5af71db4f0dce385be0a9d9893de4c279fd4d443102a027e15e1d61162a3215dde877f8bf3fe0683ed7c43cd7d43f1f1022739cb1f3753d70025a598b42101c9df0cb4fe5bf88417379322b139c038443b11e5bd176d6a4104ee46e6c977a23b6ebf0b37c581c2eb8175c19847a4515dbc2d1cba91a643b66a1d7ed2693894015fa5e3090c634ab718f91869cc46625e9b82208e5a3f645bc22bf0d30c0192c31af3a41d441f9c5c775b7d4c169d5eb30f6d9cf925db9d7ca6f709cda6ff64fbad2094e83cf5bdcdf7e20b0a26187ee5a54d0e6bd5d438fd45f4213f996f10203010001a382018930820185301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e04160414a4cf9fa30897a5d428ba7d95b4c530d622c8bac4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010505000382010100753282ba1f92581fd0486a791deea4b862c2ed4b37f7dedba7a971004dae9d87c6ce89cbd3fe730689f3b30c29830b15b45e023a8b2a0f1d7624ec0d1171abb783d9bfbe2f0a5919eac664f584423d302009ec5ebcabed2fdf775ecc36aba13147d6692833f58f630fff673d6154263421e39aa66111e3ba1a5555651f9dea4f35455e1dfb49a15a1c65d648acd94c68c105a345419e8f4dd9dc7a66ad2d5853982bcea59b9735c186703b164e97844fe093deb4af53f097b59a21c77b896b20942183bb34db84ac0d460f5752876c9fe3f39ce9bcd2a14d7a9fc7b8b3d25f721af0de615c4609ad959c212f1baeb561d0108a90b20fb78f56de7c0817209d15	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E35E6F46A1A9A4D18A4DAA298BDA4D1E8879236E\Blob = 030000000100000014000000e35e6f46a1a9a4d18a4daa298bda4d1e8879236e20000000010000005f0500003082055b30820443a003020102021100d9218e2757ec45d84ec08b3e6700c85e300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3138313231313030303030305a170d3139303730373233353935395a3081a8310b3009060355040613025553310e300c06035504110c053037303133310b300906035504080c024e4a3110300e06035504070c07436c6966746f6e3116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b73a668ff7984c8d990d7c6e51df5176c7842cc1bf351c27286c6139f4831fc718a35b0fa9145f0887de8bce335e8e3e12fce763cab5deeae08e0bf325cd79a4fbb328d7c7f7d53de51bd3c05c5966b634a9b1fc4362afd0267f927dd90a52b6a5f5f0e29c8e94dfe4199b2cf31142bb480e95ecb92b6ca20ecd71ff210df9655e9e9ac856ad7aab929b843052d4a21c27ea4054a9f4e8c4cd88943b1a4d3a58b3e06eb654c6c09cef472d6fb0d05a841ce229b53a5d36bd08cbfdc552f7c758efaa7824c1d27e30a83d7a9cecaab4bd91b2cbd60d1335fc4ac0f0294dd2eeb3f65139467761f091840246ff644edbfacb9ffd7ef2823fd9eea312dd299a39af0203010001a38201aa308201a6301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604147c4f2b645af103043ca7675e8c129c16dee7164c300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016811473636f742e7765697240636f6d6f646f2e636f6d300d06092a864886f70d01010505000382010100b33c0fee4668b9e86cd777fa94eb47dcaee7fb5b9b897b9458b12e511a194b6ad495ea4b6b820d1c7cd26badf92cfc13aaa9e66157a55545c7ea71460a4fa4e30e46b9ac16a36e94a1fcbc62b2abe402d2a58773344c4b23a0d907a9760029595421e478da67167f80876012443cd22573dc3806cdedbc6c8c4ed255bd926cecc7796ec36fb225d084f31afb5e5a2e86d26149212dda8aed2058ef0d7e7e677b463a7722431a0b5c0b9dc385b7d2e73bd781ee111c8f7e36d76e1db1f6ac98784227ed97cde3762d079741984d146a8ff96e411c1b1e4e711cd00a6150532ffaa13702a81f4514eae48ca0b98d8642a6cfe7711dc67d1b857bfecb4e863bc1f9	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D70D7D00CA12E1B3E20F3BF7534DEB2C2E7C2404\Blob = 0f00000001000000200000008f4390d93853f6a1a1b71fdc231e030586f8213a5846c95d90b527f5c6dbd80f030000000100000014000000d70d7d00ca12e1b3e20f3bf7534deb2c2e7c24042000000001000000530500003082054f30820437a00302010202102f9f0a1d6764b5a6378747247087ba73300d06092a864886f70d01010b0500307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e67204341301e170d3138313231313030303030305a170d3139313231313233353935395a3081b8310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b2eafc6255d7a7780082967ba911a65b8160e697a9c81ae0816002356644b714895808a67b22551d87b879e80d0c1bff7bd847e1486bad3c3caa8c6f3258a7311f8b03c68c9ec5947950e57a1f99f4b47b8faaf46e282f68155ae6e8f13c9c125b5eb83ae4e63ee6081d0e8aae4f090175a538422b38e0600bd94b21b313567934ee959ddd6ab7ef62bce25dada05d7de6a75cefeffdcba6a1fc8e1ef7aa6d3e5ab328732c3d31759a20d7e69cef60ac9d152041dbd85167a78329f3a80fee19ea9edb102448aa9f5774794ecb560de2faa348f278b846a2a5d8238d5e4e4cd2a82f0e37415af2dc63f34f3e179aa1cae7290b411aaf5aa6acf5404ebe98130203010001a382018d30820189301f0603551d23041830168014299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12301d0603551d0e041604146c5f99825f4ba8d4c19bae5169bab32fae7816ca300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e63726c307406082b0601050507010104683066303e06082b060105050730028632687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010b050003820101000f718c2aa40e9c44a95e1eca3844097ddb7fba896b5f5c73a6b9aede1d29f0e432f41c8a45ce38b1f52df73f45e67907a03ac58d407b3077b1cae246a54544ee365bcee4bf0f4cecc47b01e98d0478d8f4c93e2c582aa472577de9c67a0a8c2e37635e626258675e0e6669babee331594abed516679e8f1b14d7a65dc1b76ab33412689b135cf855335748e2d1998759e5b95f68d418d5486d385d0db7a8fa30e58e84f57bb7ec3f45efa549fab71775c822ec846545b6fc0ef1d3c2dad34940657088fc5f773a1cbe24f9228f9dd7e9611d5d682998c6041ba580a789f5571da01d6723784bbcec4fded61d0ba31e37fbc10c3dfe06169df4670c8d454019f7	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\AAEEC9D4420C8885AB80A78275A504E13DF78F63\Blob = 0f0000000100000014000000f5573d215cbfc1f23aa5f10e8cc9b1b56a89c329030000000100000014000000aaeec9d4420c8885ab80a78275a504e13df78f6320000000010000004f0500003082054b30820433a003020102021100b7b845b45da5c6005dcd7eda4d8c2f94300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3135303430323030303030305a170d3135313233313233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100e5f713b0311badd1b9bfba6140900b94304d8b54cbbd334e44af09addb457a07d451677595b5fd58634ba6de15c31a589307b3f06ae03a71faf301a38adc8b4551eb4a0a5f03b879cfe14c83683cdf303e813af00d7580b8c698930b706f2129b22e07896973e536db15bc595ba61064844c778e0c0c1d311543a4cc0cd3f08d03b8e7f83824e545f7166e146958d8fe0ff8ddd5082b0b7d46d001d6522885f1f9984c5c1c128120e870acc31c791d2a62cef6ecdf28f20f5385f96d59b9ad571e980d1ae120263859e1c184d5a072dc6e84d8636fd795163c3f359050f5aaaaef14c77547260547ead00b06ba4c976cac8345d8582044468a67121fa0bb22490203010001a382018930820185301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e04160414a3e91fb45376d935db1e36a801470ea0c52520dd300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d010105050003820101001dece50ca6750a8c01517ce5d8511a13c14fa76fb2d8bf2c9b4f136522ff18271d12ba269c4bad9c3250331a712998c55780d5e66be856233bf4e30557657568e1e2b0955580a2a14d5cd153df7751e0251d5616a6855a3f1d087b7d1c1dab0ed79aff614d7316fca143eeb791e5e8c48fb4574f1805210704e3957c5802f654b94177bfe5e36353d80125335e7d870cbf0c87d3809f9203a1120e5f196ee5c6fe81128ce392a9d5b0126b2b38447e587c51ab2fb95bd97d3d2621409f074b584f013ba552aba2de6d8a3afa63e164ba9ffc3b19980e36855885a0f66c17315e0302ac4556e283aa970dacffc004f342a9f408c5886bb41e70a1b8a636c24cb1	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\577DB581A72DAC211A2E3E547077529D54671825	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09\Blob = 0f000000010000002000000049e1d274c369098b74ade85fdc204a4093683e58a6a4e2d53e386e1d3a3172ac03000000010000001400000003d22c9c66915d58c88912b64c1f984b8344ef092000000001000000220600003082061e30820506a003020102021100909bd8c9e6e31da161991dd98a992433300d06092a864886f70d01010b0500308191310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564313730350603550403132e434f4d4f444f2052534120457874656e6465642056616c69646174696f6e20436f6465205369676e696e67204341301e170d3136303131323030303030305a170d3138303131313233353935395a3082011b3110300e060355040513073339313038303531133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b3009060355040613025553310e300c06035504110c053037303133310b300906035504080c024e4a3110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431273025060355040a0c1e436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e633127302506035504030c1e436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e6330820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c268a473b03c64865a19f078bd931c10a3f69e1bb034714399f815cc77ddc8bd02154aa978d07f397bbacf382809acbbb80bee3079b1d7337e1590e95090fa820fd775ecbcceb3aa37a5dfaa002e0a11bab6eac483086de41eaa09b76bc84c703a5abb4416d27a9d91a162274264b68a44faeba0676ff317d4976688b0498b4a0fb721e82b66dd4ca0030261f9d50b34b74df3eb8241344a1fe67b8fb74fb9d9ca7a0ab5dfee12c247ac5a971f02a775b5817c7567fa329163bc346070b0c429e678f0cb1789488878a1b934f7820d6e5687da101b3f85faafc631122c7f12131fc472a0a585b40d490ba440cf36f3f289f70fc507788c573bb2cad81185770203010001a38201e2308201de301f0603551d23041830168014df8ff3200ce9caa604d85b58372a3dab46dc8349301d0603551d0e04160414e44bdb3217f4a88a2348bf0c261f3d65858737fd300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010601302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f43505330550603551d1f044e304c304aa048a0468644687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e63726c30818606082b06010505070101047a3078305006082b060105050730028644687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33393130383035300d06092a864886f70d01010b0500038201010058c500c5a67c7a185c5c643fc2185072f2fdbac641b92017efd129efda442175d7e77f53e87a9325cb6c6fdc0aab804bc1248ecc295fa352bdaa214b34496bbafaffcef1c9822242eb0bda7431015bacade8904e7abe4343bf182a2f1a6ba4b10e9ca843001a25787977095918731bfd850e42373e5c0258693090560c5584b95458b82a90d12876474ba1d3cb93cf8eac26b4fd122890fe0f6bdc2631020242d87646d20731b98a4b735bc9240d2f3c4c12e7825ff3fdbb7af84855892fb292a3a0600534710785897d0666c6f2f7a9b7784a020f9f74acaa0cd8d8651af4e6b1c56e000c97d90fbe64e6f49ef2969bd6dc5e4f5841b148d1ca19118c4c6b29	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\272CCBC264497707D8DBAEF39868F500CD26BCF4\Blob = 0f00000001000000140000005551d0230a7eb864def3365a683684aa56cac33c030000000100000014000000272ccbc264497707d8dbaef39868f500cd26bcf420000000010000008d0500003082058930820471a00302010202104a708f805e46e4a95ec561404df11189300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3132303232393030303030305a170d3133303330333233353935395a3081cc310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931283026060355040a141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312830260603550403141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb75d6a03819b826e841a62bf9dfb81997d8710b4dd05ee4419b27ed8ae5c09796c84801e7eb3af986e43d8bee487d2f0b2a1c86c01564615ede2a366975407e3c6c86fdc460a3c0f130f583888911df7e529d15e2040897cc3c50fca0efccbcb91c8a59b704f7fa48aea6f3cf0726201a65ebe2bfe5dda03ab947bafc82d8318752bdb09b29fec492a876e511c352a44935b7499c99f384d2672496884c42ddc0230354f1040df837f5e1dc3d7a510a3e1a6ad33546a9e655268ad6df7087b987dd8111798110a7080461fb031e3716e383beee54a0d182fa004e982b11e18a56b2d93f5577c69574105af141981e0466a75996ecc44705dc254ff0bb4fe9b50203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100606a05f3b174504f923fcc5b4d89643109a2202ec9cd8f1dd8facc1b092b4edcc997e3ec03f8e50eee82b92ebf3e4a2b934dc8c0250307e6cba460ef0b9d57067fea51542488289c721a6031cf4b9a71c65bf200ecb2409ebca5be1f1cc2bf4956f94f6d0614a0ffc076c8f7919807eecbdafa6400d41c45b28c2c72afc86e8a522b5a2c8adfd0a38abdadb8d08b4bec6c25d64540d39caebb6b68716bbe1c2570e92ecab27cc670ce025b7cc21f12a8c1645183710ae2dc2fe385f24ba1a79e122571a64de3afa4c3e8bd9071151d74e0305d4f4e12f86041be1df530d21a00ecad9be7968e99c5f4d4079dc2092375810ebebd5e54e2191ed42a142384951f	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\AAEEC9D4420C8885AB80A78275A504E13DF78F63	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\76FBABF1EADED3B91DD7A76A6678301F1F87AA97	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3F14CDC50FA95DFA78F9488E6A96FF0B4011F460\Blob = 0f00000001000000200000001705f30c1efa865484eda67d661a2ab216476c3a8ffba79e46b502660e8191cc0300000001000000140000003f14cdc50fa95dfa78f9488e6a96ff0b4011f46020000000010000005f0500003082055b30820443a0030201020210124ee46d5e92cc4dbd6ebf3acd2e7fd0300d06092a864886f70d01010b0500307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e67204341301e170d3137313231333030303030305a170d3138313231333233353935395a3081c4310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7f0a04410f74dd9a1c24a14699f977551af2f528fe1a83b461da7a6d4e3099d5853b065396e990d9fa3c4ad1232128868cbebfc1aa5edf788f6d8aedb9ab5a82e923276061bb0d6980237f6dcdf8876f8bac93bc05edcaa0b8f93d0d03c132c8bf0a11bbaa16106732d636fab5f2710acd3711181454cf419d27f3078cda5c96ed284c2102ef8723e1e7510fbaa7fb3025a00d72f226fbcb69ea8192e7862f422fd83c221b77eb4953f1ad779765b2f8292004a11fd266bbcbbe0448fd199ce6a70e990ffdc11105bc4b92b1b90b82010ff56eb8daa434bd6405b519552649c4e136ae8c381171fe2d1a4e0522dbd2feecddc2cb40a01accc49b5bc55d59fb50203010001a382018d30820189301f0603551d23041830168014299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12301d0603551d0e0416041470cfd4fe3684b3c7eb2a7f08aae10493a839344d300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e63726c307406082b0601050507010104683066303e06082b060105050730028632687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010b0500038201010020d13cee9ecf43b51c1a9ef12f4ff2f85516a21fd1c4df41ef814d29d3113647e46e39dda693e0548c31f714e64b8176e537f6191407bb7f422a9bcc941f4a4703b0a508e29adb32b527f50b68e0294971778d1ccde7126f5536d488267cf7a0cdd83fb1e93af6b43fa6cbf4a2f01d6c8cf4a253c2c94f7518bf38efa43239155ef7b7bb4c139540d49af1ca750469f06f01c82d11b0f2fdfbdf3d9c778c8d23d2d40a66ce10d6e07a74955907a2937a6ba6a5dcd7071fb61e3ce34b610e03ca8e6c5a003da76d492fc19ee8666d237499f486b6b8d8a1da4f3052abee516491d09f9d687129f44ba62151e2656710b8dd9a7e9a19d1d4a91e9b6a642d5996b3	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\577DB581A72DAC211A2E3E547077529D54671825\Blob = 030000000100000014000000577db581a72dac211a2e3e547077529d546718252000000001000000620500003082055e30820446a00302010202105eb0a7021a06c5b10c21eb8b1716c6b0300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3132303631343030303030305a170d3133303631343233353935395a3081b3310b3009060355040613025553310e300c06035504110c0530373331303113301106035504080c0a4e6577204a65727365793114301206035504070c0b4a657273657920436974793121301f06035504090c183532352057617368696e67746f6e20426f756c657661726431223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100b955ac4b449fee58fa6314876ead56819f17569e8d4fad77698ce21a7c28bfd3d50eb1b77023e54d202eca50e13f4b23eb336fbff44bc2537045bc50687f524781a5a47057dc2761e531664acd1167f8f62c60a49cf4473093b3a12a975d70f60d7d9fbac2336f534bdfae2fff191321ae2f794998ab4f71ffc28537a7a820dbacdaa03ae83b8fe264825baab754a460ecdb41f1e1eac9f3c07492520bdffeee31b2ccbb79f9ac3151569e506665437d470c977082490dd030d0fc6c0e6480470f95b41e47ef7933677fa03e67493d7e855002755a41338060853cc34249fab73c233515b179384b7198bb91d33d8294664d329f251f6510828aba15f4311fef0203010001a38201a33082019f301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604142e10c21ad189ebcb079c83f277d898c9144ade08300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30180603551d110411300f810d636140636f6d6f646f2e636f6d300d06092a864886f70d01010505000382010100ac5ef51daeb71d81e2741745d8959c9a87d731ec7883d97033d6c2d2907b6a47c20bb79300888a341d66a43e7dd399cc52e7fa6695e8aa9a933f8bcb76dee802e1def8c6ac4153514d3793188130b1388baa405f4c8d3710c1a1333f666a0a9eed5844fef4e266a15f8785fff19f6c1e6f1304a7b9dfbd518477e39bf4ce32ebc5931519123198e35b754a77f0e6776046004e9d1b4b55f7bb0580583a605934affb7416f499a1a1fdc31b30cd9ec46e04764b5fb45a19257d971d7120f28bf81ee6e1a82720653d58a45694b395f7ae64a7d7712d9b127d0051903d96462314fc35e9091e08736f9e25be120d3b4bc28a443c5315c06cef5522a4d2c97d3d04	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\31D019FC7AB697D57D9C4AFB340ED7C4D10400DF	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\6CD253D636A7B4D0E0981431BC064061A9853ED9	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\39488FE6BE0D00E76D475BD2902442A541A0E1A3\Blob = 0f0000000100000014000000ec90220b9fc81a6e1bbb4c4523e5adfeb4c56a6e03000000010000001400000039488fe6be0d00e76d475bd2902442a541a0e1a3200000000100000068050000308205643082044ca0030201020210071ae4a2402bb0ad40f3fbd4402b9290300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3133303430383030303030305a170d3134303430383233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100d16dbef9f9b66b60cd10d445259a1340e176ea68a389e786588ea50ddede49f026ee9fadcdfaf92a4d5759e4157f166827acef7aaec040e4ec816905e85396416ae568b0f57672069ab644792bef047fcbb11ec708f7e6e8c06f484b328cfbf769aaaad4aafb9f6c4f4c22e552bbd41b367ad3a5130f06f71bdfce3f295a2eb35c6863496588a6a018ef0205d950bb2aa130263f0e4dcc3976de1c04a41d6f825e47e6d0da838b1454fe7bc35449984bc83e906f76ddc59e70fd00f8393b377dd459a3ed394db48a66dc4b6411d7d65dddbc1a964022d77bb4fe6bbc1a6d39f4832c15dbee8183f2fe46aa57bca4e2df4a3f7843f3bf677abf63c363d39c1b410203010001a38201a33082019f301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604145e313f971a8d01f8288f3edaef539b06c99d97fa300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30180603551d110411300f810d636140636f6d6f646f2e636f6d300d06092a864886f70d0101050500038201010044a773cdd6d5f08fc0a6d76d84ca14d5cb7ff98f2c9b2a9d28902d5d24282fd9fe6e3cad24fa31199ee0f2ef48e973ccb133e9007791b76362a14839b97b80bfefce0accfb9dedaa51e2c3a213114442009d1479088e2beca664c6ade7ba8e3913bdfa8589fc8ac59177ca3705e58585f1887685b89bdbf1b7bc6efa82a2b4ae273eebd53dea3651cb0e77e016b69ca726f759106338c242f1596225f235854d612ffaf7e9a8756403d802a071dbafab7cd14a44005bb3bd1ba21235816372cf32775985b2a09248f8f52065cb58b9c09cbf50e7e3bbbc78e69118e67e882a52385d456ee824e1f4d631d87b394cc1d19eda889b4933ddecb183548df778759b	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\98D9D6CB8497105298536D86E468DD0323DCF318\Blob = 03000000010000001400000098d9d6cb8497105298536d86e468dd0323dcf318200000000100000001050000308204fd308203e5a003020102021015f007bd5f4ef8079892414f2c01d1d1300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293034312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303034204341301e170d3039303333313030303030305a170d3130303333313233353935395a3081c0310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931223020060355040a1419436f6d6f646f20536563757269747920536f6c7574696f6e73313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e2076323122302006035504031419436f6d6f646f20536563757269747920536f6c7574696f6e7330819f300d06092a864886f70d010101050003818d0030818902818100c98a30777f1383df7fd5858ac100e27deaaae1b334d290c2f5c80caf0da0fe0d867093e41a8306582d1645f3227c76e9dd517915d9d934df581873f4e8eb1707eef36402f320aba6fd4a31baecafa515473ea7d7b18275b9527cae10747f2468640e050a260064328393b7ba7a6372af443b24d461e4465c80ab1f720a4936890203010001a382017f3082017b30090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f435343332d323030342d63726c2e766572697369676e2e636f6d2f435343332d323030342e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f435343332d323030342d6169612e766572697369676e2e636f6d2f435343332d323030342d6169612e636572301f0603551d2304183016801408f551e8fbfe3d3d64367c68cf5b78a8dfb9c537301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d0101050500038201010010da5f375376fdc6aef5a9771878d640588ecb4348af3ce8d157fcc3bd313d17d24f3f0cd56417b74cdccd93fefc71f5391c3851ecda633dfb854a4426927cf1cabf5b0577c0e435588889cffa768ee31961b70b287fabcc46d8cd97fcbc6ccb05ebf4bb866693936cfc04e39da95a03002b85ef6136029cf1abd2a645daf6fcaf8f656f52ce020a9c7cb50efd0c7a8870064e739588be196d11a51009ddd1b14ebfa77674f5a83a6fcc3e4944de515fc63bb1f09d4af60412df166dac76f6ffce977a3672c75d234bb6720b86a0e8d7e34070af8ce063ec686463596c71f3eb61bed40332a588f7e2a3a99da776af16bc94e218fdc5af008a304a716c73f624	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\C6C9520866B57431E708BB81342E072205CB5BE0\Blob = 030000000100000014000000c6c9520866b57431e708bb81342e072205cb5be020000000010000008d0500003082058930820471a00302010202100c078e1d0f486bf4325e09f8bedf2446300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3131303330323030303030305a170d3132303330333233353935395a3081cc310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931283026060355040a141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312830260603550403141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d259e2895bd9e9403944235673728dc6536175a5dd87ae799971db72df0530cd9e1bbca1b2d8a1dcb7daf112ef085cd6799d1f1dcb10c0e2947121be232c205edbc670b140e3d991ac6721c371c9ca2e32056c1d71e1cfe57382bc7d70944ca90a3f7b9ecdbcb78c141341ea0f144d4293fd83cdac3ff598618042df6c9d604d21c4c68b3e2a542b1a6a49c0f267aeab4ca6f65ba4767a961c7133688f52f9d292a345ef4c40e0fa13b07a1f76b82f0fad48abdc8b14e24b1b5cc00eca542db1fc579843c204db6b4ba18037be05efa09659c08e896fa293eb9f1629c21a0c86b7d867fc9fcfee94f70aec86196b714639a156e41e9bf1e630710485158e7a1f0203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d010105050003820101008ac92cc8145ce639e61c121954f20a835339bb47f44c9544579918ab8530315d491146e8e536ab85f3b9e96f4ed30bbc8b01d7f40b8078a8ee210c088952c6bc1063a05ea02924704b7c9e1e2f2910a6443f29b7d1a06943952d09c99242ecba6fae43a8752f313b4cfb05aea18329163218a4e9c8884fc42f7cdcacb7535f56a1a82ebc38ae19c01ff72bd0ff347453f604d4188d75abf602799400788715be414c6e1911b737ad0e07bf049711b9460fe933665551beed9b17679c9c7ed1d81ad4509f706e38398b89159be6c97ad2d68ee540816a30e0657d65f49207812420831f9cc54190ddbd0b86d610f2f0f7f1bf583bf4fffb1744ffc83289a24552	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09\Blob = 03000000010000001400000003d22c9c66915d58c88912b64c1f984b8344ef092000000001000000220600003082061e30820506a003020102021100909bd8c9e6e31da161991dd98a992433300d06092a864886f70d01010b0500308191310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564313730350603550403132e434f4d4f444f2052534120457874656e6465642056616c69646174696f6e20436f6465205369676e696e67204341301e170d3136303131323030303030305a170d3138303131313233353935395a3082011b3110300e060355040513073339313038303531133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b3009060355040613025553310e300c06035504110c053037303133310b300906035504080c024e4a3110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431273025060355040a0c1e436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e633127302506035504030c1e436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e6330820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c268a473b03c64865a19f078bd931c10a3f69e1bb034714399f815cc77ddc8bd02154aa978d07f397bbacf382809acbbb80bee3079b1d7337e1590e95090fa820fd775ecbcceb3aa37a5dfaa002e0a11bab6eac483086de41eaa09b76bc84c703a5abb4416d27a9d91a162274264b68a44faeba0676ff317d4976688b0498b4a0fb721e82b66dd4ca0030261f9d50b34b74df3eb8241344a1fe67b8fb74fb9d9ca7a0ab5dfee12c247ac5a971f02a775b5817c7567fa329163bc346070b0c429e678f0cb1789488878a1b934f7820d6e5687da101b3f85faafc631122c7f12131fc472a0a585b40d490ba440cf36f3f289f70fc507788c573bb2cad81185770203010001a38201e2308201de301f0603551d23041830168014df8ff3200ce9caa604d85b58372a3dab46dc8349301d0603551d0e04160414e44bdb3217f4a88a2348bf0c261f3d65858737fd300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010601302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f43505330550603551d1f044e304c304aa048a0468644687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e63726c30818606082b06010505070101047a3078305006082b060105050730028644687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33393130383035300d06092a864886f70d01010b0500038201010058c500c5a67c7a185c5c643fc2185072f2fdbac641b92017efd129efda442175d7e77f53e87a9325cb6c6fdc0aab804bc1248ecc295fa352bdaa214b34496bbafaffcef1c9822242eb0bda7431015bacade8904e7abe4343bf182a2f1a6ba4b10e9ca843001a25787977095918731bfd850e42373e5c0258693090560c5584b95458b82a90d12876474ba1d3cb93cf8eac26b4fd122890fe0f6bdc2631020242d87646d20731b98a4b735bc9240d2f3c4c12e7825ff3fdbb7af84855892fb292a3a0600534710785897d0666c6f2f7a9b7784a020f9f74acaa0cd8d8651af4e6b1c56e000c97d90fbe64e6f49ef2969bd6dc5e4f5841b148d1ca19118c4c6b29	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\C6C9520866B57431E708BB81342E072205CB5BE0	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D70D7D00CA12E1B3E20F3BF7534DEB2C2E7C2404	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8D170F91DE1907BF03CD9F1DEBFEF61E3D3670CC\Blob = 0f0000000100000014000000aa0ce7c3ca656a11aca42410066480cc1cddda610300000001000000140000008d170f91de1907bf03cd9f1debfef61e3d3670cc2000000001000000130500003082050f308203f7a00302010202102c01585522e8fa61138aefa4f627eea8300d06092a864886f70d01010505003081b6310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930393130302e06035504031327566572695369676e20436c617373203320436f6465205369676e696e6720323030392d32204341301e170d3130303330323030303030305a170d3131303330323233353935395a3081cc310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931283026060355040a141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312830260603550403141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100b78b6ba1d6ad632f49c5b7ad19ac17479b5bb3d66034124eba28c27dc98235f41b4996e53da458d3a5d5b7539f44126b203fbb8a9201b13d7860c645f83f2633f8d9e08e2a424f3ca50e48aae25614645c3fe3fea64764476478569e5e0a617568cb78a79f933cc071fd9a0aa0e74371f184a63bb6e82962416ac3c6263602890203010001a38201833082017f30090603551d1304023000300e0603551d0f0101ff04040302078030440603551d1f043d303b3039a037a0358633687474703a2f2f637363332d323030392d322d63726c2e766572697369676e2e636f6d2f435343332d323030392d322e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f637363332d323030392d322d6169612e766572697369676e2e636f6d2f435343332d323030392d322e636572301f0603551d2304183016801497d06ba82670c8a13f941f082dc4359ba4a11ef2301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d0101050500038201010023e7d8b884c4cb85444c8cf519168ad5377a4c6cd1210690ef8ff7e3c1d26395f54eec8be2e3673c46cf0e7dae32818bad45ed786d10d63c968001c35f455b3f828cd7f8cf995c6b7bfb2bd915c802f49ec9c5a74870af2740950fc71d8cb7512bea2ff1ad13e9f3615fc515c8fd35b0df32293ef5be1c660e544682d2b12968d0ea991f1ce83d69127de6e9b90898536f6d2d2e345a5174b970694af8415a9866a64c786047627717e382a445877348cfbcc631c2fba28185efbe4ae5bdfa9b7c682ac66797c80528aa9ec74d05eb6d6c1b376b439fe312329968f466e345f16ff92c7cbcfa6a6116cd1cfba2bf32c066c2c8181028a315914824130b95abb2	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\39488FE6BE0D00E76D475BD2902442A541A0E1A3	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB\Blob = 030000000100000014000000872cd334b7e7b3c3d1c6114cd6b221026d505eab200000000100000059050000308205553082043da003020102021024be55999e338f74f91f0f4570845e51300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3137303130363030303030305a170d3138303130363233353935395a3081c4310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100ed95073c8ec3d17a4c21362d65d31f6835641be6a0d9a9d5072d3a6e00883eea41fca3f5a0b1d74693f49a26b99d2d601292be9cfda68fdaba56544fd75cbf1123626a2890d27cc8de2fbd504f6ac74255481483fcf45458f1887e8d5a3767c1fdb427ea7021ca9709451de51c1fa529f920e478de2d1c19e5e09d0168326d9257f5d4dda80112835171a125a8d34125f1237a2100fe79eff05d78d8a52113510c01f74d43f8884b559a5c1bd70b36c599594bd567fe3a533eadc6450a74e4922d4ccc525ba35a1844c190a6f3a4d34a48e7b852a26ea446cdaf4b8de433dd10efca232a605d88617116c1b632f37a87c3b1de4a317fec53ee9aa87cc9f07e790203010001a382018930820185301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604145cfe6910a18681d46ca19cb26662da9ed10a524b300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d0101050500038201010086d177654176251a873d7a8023bcb603de50958307f4f54da2988e652be3005cf46516fcdbd42e3d933bfc05b7f0f87d4410c12f58f4ec0f1926e9b1a2f525a59575266afac8493dab23ccb9fd4f4fd26dba1db7491789c96c9e2ecf609e6c71d6cd868b9c34be32f99f1f6315656df7b3c10e18e3074bb8da6b8e22a55cebb7b3c79e251a8a53d0d4b7d044fa3d00db8e674f163d60f24d2ab87719c4fef1ea2eb87814e6efe2390dfa9c19f2b57287e048496b7ce9c8b990fe54b58d901bb722cccab45b3cea1322108a15f33392a612de66f646a5b4cf51b3d12d481b86b2a32f59ee94abdc13889480d47c1479930733f69b2391ff1a8455385326054fa5	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\6CD253D636A7B4D0E0981431BC064061A9853ED9\Blob = 0300000001000000140000006cd253d636a7b4d0e0981431bc064061a9853ed920000000010000001b06000030820617308204ffa003020102021032327facb1bd6f1fa93473ccc515fd82300d06092a864886f70d01010b0500308191310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564313730350603550403132e434f4d4f444f2052534120457874656e6465642056616c69646174696f6e20436f6465205369676e696e67204341301e170d3138303132343030303030305a170d3231303132333233353935395a308201153110300e060355040513073339313038303531133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e311a301806035504090c11313235352042726f61642053747265657431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b7713778a66667b8cd67f828f378f80a5507c4e8aa143cfd5b9b953ab16d04a965dcd386a35efe8378c1e0e5ceaf124f188102958962014e493cd80f11fc2ba339953a8bb71a9f030ebbe8742b4252ab465a2d41a829508a9eef5d34d171fcf0b5be026fe15e1a70288b2ecd4af1332924d53c0eefe5c7033482769cae8b5c5e8d59033fac40e94d714c5cd05e8db6f0edb71bb26565d52a025f35323203e9a7846d00a235f973d1e43f29a81dcd1bfef625d373f94a51cc8d2be8ee69702a73a694da69d9b0fbae7d1dee353683a2037a2019b9260a1b53f6c89d945b384c275670bdfac333301504af00749373356a1e7a422eb9363bdab713f9ad6b5bb1970203010001a38201e2308201de301f0603551d23041830168014df8ff3200ce9caa604d85b58372a3dab46dc8349301d0603551d0e04160414e18081b3e9396b7109e8b2add6c3d20ebf4b4814300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010601302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f43505330550603551d1f044e304c304aa048a0468644687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e63726c30818606082b06010505070101047a3078305006082b060105050730028644687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33393130383035300d06092a864886f70d01010b050003820101004bc17929ea82f3c4787f7b29b69edb09e169797a9f4cd233f035412d2b9c586e352d2c0d1cd530a946a91ccd8858453573f0b45a0cdc743d662af4761420489adadbd9a84915b697f96ed1e49786c53000eb12555d3b2957eec18279326020737e2e3e4d621856026169ad6f6cf18ee7b59d5b6a7e6d8c252fa1a15363ec89a6efe5efdf4b260ad35c6a0e1db0250d1eb66ea7b91f15e0f57ecc0541e1ad74a2069f717dec0b1f03101b6812c13f64264f8c40a3614ffb8ccabedb974cda14eb50c061d5cd23dc7735cd0bcfdcef3fd178c1f95594a591031d05c8554cb5fe6fd23cb95931bf847f5b525a269aeac0336313e8f6e81ccb1692d86993724f709e	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D70D7D00CA12E1B3E20F3BF7534DEB2C2E7C2404\Blob = 030000000100000014000000d70d7d00ca12e1b3e20f3bf7534deb2c2e7c24042000000001000000530500003082054f30820437a00302010202102f9f0a1d6764b5a6378747247087ba73300d06092a864886f70d01010b0500307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e67204341301e170d3138313231313030303030305a170d3139313231313233353935395a3081b8310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100c1b2eafc6255d7a7780082967ba911a65b8160e697a9c81ae0816002356644b714895808a67b22551d87b879e80d0c1bff7bd847e1486bad3c3caa8c6f3258a7311f8b03c68c9ec5947950e57a1f99f4b47b8faaf46e282f68155ae6e8f13c9c125b5eb83ae4e63ee6081d0e8aae4f090175a538422b38e0600bd94b21b313567934ee959ddd6ab7ef62bce25dada05d7de6a75cefeffdcba6a1fc8e1ef7aa6d3e5ab328732c3d31759a20d7e69cef60ac9d152041dbd85167a78329f3a80fee19ea9edb102448aa9f5774794ecb560de2faa348f278b846a2a5d8238d5e4e4cd2a82f0e37415af2dc63f34f3e179aa1cae7290b411aaf5aa6acf5404ebe98130203010001a382018d30820189301f0603551d23041830168014299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12301d0603551d0e041604146c5f99825f4ba8d4c19bae5169bab32fae7816ca300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e63726c307406082b0601050507010104683066303e06082b060105050730028632687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010b050003820101000f718c2aa40e9c44a95e1eca3844097ddb7fba896b5f5c73a6b9aede1d29f0e432f41c8a45ce38b1f52df73f45e67907a03ac58d407b3077b1cae246a54544ee365bcee4bf0f4cecc47b01e98d0478d8f4c93e2c582aa472577de9c67a0a8c2e37635e626258675e0e6669babee331594abed516679e8f1b14d7a65dc1b76ab33412689b135cf855335748e2d1998759e5b95f68d418d5486d385d0db7a8fa30e58e84f57bb7ec3f45efa549fab71775c822ec846545b6fc0ef1d3c2dad34940657088fc5f773a1cbe24f9228f9dd7e9611d5d682998c6041ba580a789f5571da01d6723784bbcec4fded61d0ba31e37fbc10c3dfe06169df4670c8d454019f7	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB\Blob = 030000000100000014000000f8db7e1c16f1ffd4aaad4aad8dff0f2445184aeb20000000010000000906000030820605308203eda0030201020210078f0a9d03df119e434e4fec1bf0235a300d06092a864886f70d01010b0500308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f726974792032303134301e170d3134303532383136343334365a170d3339303532383136353134385a308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f72697479203230313430820222300d06092a864886f70d01010105000382020f003082020a0282020100c20f7f6d49bb39f04d943fe8fb4dc5eb3be1285ab9892a467ea5c333271d82893feb33a1876aeae882b9dac39d77d135c0cb833672a6571912bc15e2c83c7b83623414d5abb6de368ba15a71a65196a70633b3221d146253c2a5af9a40cabe2c485499e72a9368a769190b99693bc1b2acae94dc5fab7e02cade3ca774a68c10a0e5aeb69c35ef838b10e5972aba916b9a6a4595d9d054718e653fc48a53ca1e38470ae9d04184a5da1e66016504e6505b7735f5b42e29320cc6bf5f61ee3220b77c39f911faff605efec669f46f1e1ded1d06e7651e9a112e6344065f31431733e9a32682d44b83124fd2a126032548e13abd84f58ad5b46e1ae871200e45530167ade31e6be8b2e4abfdf53b8eba67af5984cc5c75d09daa5c72c42636a2ac324c6ab1f8331744d2a77d70eeeb70949abceaba1c104b635b38ddd2254504b2f0b35a7c0b0a8e21406437114d96694533e493839ef9b3b51c2b0571ea6dcce748b6b6de805010ca4938b35905704ebd9e880222586489eb40dab12d2d6a40885d23c33ed0f5d5b7908a28543962a2c5c6b1bf74cd8695f9456bccf207eaac5cd336f7a27ab5b472532a063ec337945858b14a71bb5ccd9cb2af109ad943363e528519e7422891118c8ce7bbdfe6c855087375f3960d86b7d2e506b2c08a54a86177207d6cd1feba68f3454aaf1184eb867d2f04f354ea20ffd5db3d250270870203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604148570009f77591e8cac3c9f77262819cc9ac18f32301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201004f2574bd1f624f5f0ff74222d7d1d65304232ec5d5d7072b6b793b5f6d90ed1355d382f1f5028f3ef996267e0d421876fc6055825a86bd113339690fcee0b02bf15d19dfd8d2fa86a4cccdacf0d0ae9a8b2b248f03c1350d20b3dfc742ea77292e0a12fc0b1a458dd931840d8d02c0acfad212bf1e6a343eea8300a348754e72662da1a5129f37a85d4a7759cfd63afc30c5a609a5bfb108e3fb2c9f76c4fb4e611d6d23f3766985eb49bb0df73dd0aa05bcdd3d6e80445ed99a68ecc989c7e61a18f860a0e78cf6e6516f0ee025b863f9f9c20b8c3c9cb2f042cdbec3f5fe4929559c5e8696fba1ed6d2686e8b8208b5cc6e72d31c5aaca7d4b7da059a41efb5071e9afcfd6aa0d99de8e95269731a5f47f6df46815b8e3f7add8efd13875025ffd6d4efcb6fc2f451ba9cad11e7aff75181536c120e45f483a95eb7be4f5f6f4fec94b21a2a9ea8a9925cbe8444090d539b46b239b52bcc0c17e17666e650bf5741596a866ed856854b224e87588644589853c7a656b96e0f259ea4725660f6a1b0c3fd44ae64b26174709fed4d7b8e0cee72f94ad808b6770ccb77bcf1b2bb9d15bbdb8035cb1f01b412ce6535516e74a0e41089937e2a9d76d0e6a45e5ece388a9fdb69bc32820ceabc2936b516553bfa05e7b9d26349a514c8ca638d5865b3c55ee50ec000bcaacdcca10abdf189bd2ac0c8d084515af8535355ae526bc	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F89A37FB24B0417D93BFB760B12121F5A358F9D9\Blob = 0f00000001000000140000004af632248aedb7ff558427f06389a5acbf941e7c030000000100000014000000f89a37fb24b0417d93bfb760b12121f5a358f9d920000000010000004e0500003082054a30820432a0030201020210474bf5dfd0395ca926b2f2367e46dce8300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3136303130343030303030305a170d3136313233313233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100b512f8d9138a6e9889f0afac2c1f2402e9fe96acc0b45a85110b39d9d8de6998199750cb863df84a12796591b7f5426bc0f101c0b6afd1bd5e1f14e4c9805e4f6eab19b893342a581e832bcd90776a9eca9ed04acf2776b4e4bcea4f31824e76dd03fd1ad5376c1bfa095b474350ad21c618884680acf98350336c5c21308188bc942bcbdfc456828ea1fa7f1ae3e8b01a4756348120db21f6c32e0b968e65351c1f46db2a0e94fdcfb0e7e0ff8f26c26c1cb649602b0f1a2f5eb3a546f8e713831f6474d9f79c725cb32cfcbc9999520e2b8012fa758548bc909bc1c5adedd904af9ca03de0fbc0a45d7c5ebc571787e1e7d8ff5c8d627368997dce3beffb2b0203010001a382018930820185301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604141221ea3afddda8a617401cf0f7252824021e4559300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010505000382010100067db05f13966dfcef07fa46bc1de610588943d981e2f71f0035cf57df75efed23789498faf85c62ce1ed4f5e8415105ec7febfb50a26ff1c551f7e23ec81f2635b29f444a1db4780623ff96421e2019b125687b083921490d97cf2d281d1e44d114692c61df0da4ff82c7d8820e710879c644fea724977a52be3cb8135e3717d5eb144a07dea4a6a70087ccde43f7f62b8c8cced2887cc7e3b625e02e855840fb585a2066f2bf345a8ecf50a3a443250382cbe9e9177f5f666266a49c68262addcc6cfc25bd66601b5799e459318dcd250b0ddeac26f07e2126794054ff0f97cc84e70741601e7941f0a7a2d62a4ee10723215efcf93d3933517e87b00ef2b5	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3F14CDC50FA95DFA78F9488E6A96FF0B4011F460	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\39488FE6BE0D00E76D475BD2902442A541A0E1A3	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8D170F91DE1907BF03CD9F1DEBFEF61E3D3670CC\Blob = 0300000001000000140000008d170f91de1907bf03cd9f1debfef61e3d3670cc2000000001000000130500003082050f308203f7a00302010202102c01585522e8fa61138aefa4f627eea8300d06092a864886f70d01010505003081b6310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930393130302e06035504031327566572695369676e20436c617373203320436f6465205369676e696e6720323030392d32204341301e170d3130303330323030303030305a170d3131303330323233353935395a3081cc310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931283026060355040a141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312830260603550403141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100b78b6ba1d6ad632f49c5b7ad19ac17479b5bb3d66034124eba28c27dc98235f41b4996e53da458d3a5d5b7539f44126b203fbb8a9201b13d7860c645f83f2633f8d9e08e2a424f3ca50e48aae25614645c3fe3fea64764476478569e5e0a617568cb78a79f933cc071fd9a0aa0e74371f184a63bb6e82962416ac3c6263602890203010001a38201833082017f30090603551d1304023000300e0603551d0f0101ff04040302078030440603551d1f043d303b3039a037a0358633687474703a2f2f637363332d323030392d322d63726c2e766572697369676e2e636f6d2f435343332d323030392d322e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f637363332d323030392d322d6169612e766572697369676e2e636f6d2f435343332d323030392d322e636572301f0603551d2304183016801497d06ba82670c8a13f941f082dc4359ba4a11ef2301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d0101050500038201010023e7d8b884c4cb85444c8cf519168ad5377a4c6cd1210690ef8ff7e3c1d26395f54eec8be2e3673c46cf0e7dae32818bad45ed786d10d63c968001c35f455b3f828cd7f8cf995c6b7bfb2bd915c802f49ec9c5a74870af2740950fc71d8cb7512bea2ff1ad13e9f3615fc515c8fd35b0df32293ef5be1c660e544682d2b12968d0ea991f1ce83d69127de6e9b90898536f6d2d2e345a5174b970694af8415a9866a64c786047627717e382a445877348cfbcc631c2fba28185efbe4ae5bdfa9b7c682ac66797c80528aa9ec74d05eb6d6c1b376b439fe312329968f466e345f16ff92c7cbcfa6a6116cd1cfba2bf32c066c2c8181028a315914824130b95abb2	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\39488FE6BE0D00E76D475BD2902442A541A0E1A3\Blob = 03000000010000001400000039488fe6be0d00e76d475bd2902442a541a0e1a3200000000100000068050000308205643082044ca0030201020210071ae4a2402bb0ad40f3fbd4402b9290300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3133303430383030303030305a170d3134303430383233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100d16dbef9f9b66b60cd10d445259a1340e176ea68a389e786588ea50ddede49f026ee9fadcdfaf92a4d5759e4157f166827acef7aaec040e4ec816905e85396416ae568b0f57672069ab644792bef047fcbb11ec708f7e6e8c06f484b328cfbf769aaaad4aafb9f6c4f4c22e552bbd41b367ad3a5130f06f71bdfce3f295a2eb35c6863496588a6a018ef0205d950bb2aa130263f0e4dcc3976de1c04a41d6f825e47e6d0da838b1454fe7bc35449984bc83e906f76ddc59e70fd00f8393b377dd459a3ed394db48a66dc4b6411d7d65dddbc1a964022d77bb4fe6bbc1a6d39f4832c15dbee8183f2fe46aa57bca4e2df4a3f7843f3bf677abf63c363d39c1b410203010001a38201a33082019f301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604145e313f971a8d01f8288f3edaef539b06c99d97fa300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30180603551d110411300f810d636140636f6d6f646f2e636f6d300d06092a864886f70d0101050500038201010044a773cdd6d5f08fc0a6d76d84ca14d5cb7ff98f2c9b2a9d28902d5d24282fd9fe6e3cad24fa31199ee0f2ef48e973ccb133e9007791b76362a14839b97b80bfefce0accfb9dedaa51e2c3a213114442009d1479088e2beca664c6ade7ba8e3913bdfa8589fc8ac59177ca3705e58585f1887685b89bdbf1b7bc6efa82a2b4ae273eebd53dea3651cb0e77e016b69ca726f759106338c242f1596225f235854d612ffaf7e9a8756403d802a071dbafab7cd14a44005bb3bd1ba21235816372cf32775985b2a09248f8f52065cb58b9c09cbf50e7e3bbbc78e69118e67e882a52385d456ee824e1f4d631d87b394cc1d19eda889b4933ddecb183548df778759b	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\C6C9520866B57431E708BB81342E072205CB5BE0\Blob = 0f000000010000001400000071016038dc9322758f4f45cf1f4876c88226aa84030000000100000014000000c6c9520866b57431e708bb81342e072205cb5be020000000010000008d0500003082058930820471a00302010202100c078e1d0f486bf4325e09f8bedf2446300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3131303330323030303030305a170d3132303330333233353935395a3081cc310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931283026060355040a141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312830260603550403141f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d259e2895bd9e9403944235673728dc6536175a5dd87ae799971db72df0530cd9e1bbca1b2d8a1dcb7daf112ef085cd6799d1f1dcb10c0e2947121be232c205edbc670b140e3d991ac6721c371c9ca2e32056c1d71e1cfe57382bc7d70944ca90a3f7b9ecdbcb78c141341ea0f144d4293fd83cdac3ff598618042df6c9d604d21c4c68b3e2a542b1a6a49c0f267aeab4ca6f65ba4767a961c7133688f52f9d292a345ef4c40e0fa13b07a1f76b82f0fad48abdc8b14e24b1b5cc00eca542db1fc579843c204db6b4ba18037be05efa09659c08e896fa293eb9f1629c21a0c86b7d867fc9fcfee94f70aec86196b714639a156e41e9bf1e630710485158e7a1f0203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d010105050003820101008ac92cc8145ce639e61c121954f20a835339bb47f44c9544579918ab8530315d491146e8e536ab85f3b9e96f4ed30bbc8b01d7f40b8078a8ee210c088952c6bc1063a05ea02924704b7c9e1e2f2910a6443f29b7d1a06943952d09c99242ecba6fae43a8752f313b4cfb05aea18329163218a4e9c8884fc42f7cdcacb7535f56a1a82ebc38ae19c01ff72bd0ff347453f604d4188d75abf602799400788715be414c6e1911b737ad0e07bf049711b9460fe933665551beed9b17679c9c7ed1d81ad4509f706e38398b89159be6c97ad2d68ee540816a30e0657d65f49207812420831f9cc54190ddbd0b86d610f2f0f7f1bf583bf4fffb1744ffc83289a24552	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\76FBABF1EADED3B91DD7A76A6678301F1F87AA97\Blob = 0f00000001000000140000001dcb79ef0387b641fad2722ff112e69ccc73389f03000000010000001400000076fbabf1eaded3b91dd7a76a6678301f1f87aa9720000000010000005a050000308205563082043ea003020102021100c5144cf5e535f748a9afa6fc384c0775300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3138303130343030303030305a170d3139303130343233353935395a3081c4310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100e7cbaab2f00e8651180214f1ed65f1eb65ecd2f22b19bdc1d1d2c868f9e0e39acce5af71db4f0dce385be0a9d9893de4c279fd4d443102a027e15e1d61162a3215dde877f8bf3fe0683ed7c43cd7d43f1f1022739cb1f3753d70025a598b42101c9df0cb4fe5bf88417379322b139c038443b11e5bd176d6a4104ee46e6c977a23b6ebf0b37c581c2eb8175c19847a4515dbc2d1cba91a643b66a1d7ed2693894015fa5e3090c634ab718f91869cc46625e9b82208e5a3f645bc22bf0d30c0192c31af3a41d441f9c5c775b7d4c169d5eb30f6d9cf925db9d7ca6f709cda6ff64fbad2094e83cf5bdcdf7e20b0a26187ee5a54d0e6bd5d438fd45f4213f996f10203010001a382018930820185301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e04160414a4cf9fa30897a5d428ba7d95b4c530d622c8bac4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010505000382010100753282ba1f92581fd0486a791deea4b862c2ed4b37f7dedba7a971004dae9d87c6ce89cbd3fe730689f3b30c29830b15b45e023a8b2a0f1d7624ec0d1171abb783d9bfbe2f0a5919eac664f584423d302009ec5ebcabed2fdf775ecc36aba13147d6692833f58f630fff673d6154263421e39aa66111e3ba1a5555651f9dea4f35455e1dfb49a15a1c65d648acd94c68c105a345419e8f4dd9dc7a66ad2d5853982bcea59b9735c186703b164e97844fe093deb4af53f097b59a21c77b896b20942183bb34db84ac0d460f5752876c9fe3f39ce9bcd2a14d7a9fc7b8b3d25f721af0de615c4609ad959c212f1baeb561d0108a90b20fb78f56de7c0817209d15	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\577DB581A72DAC211A2E3E547077529D54671825\Blob = 0f000000010000001400000062168746c03287ebf06481fd267a4ae824ab4448030000000100000014000000577db581a72dac211a2e3e547077529d546718252000000001000000620500003082055e30820446a00302010202105eb0a7021a06c5b10c21eb8b1716c6b0300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3132303631343030303030305a170d3133303631343233353935395a3081b3310b3009060355040613025553310e300c06035504110c0530373331303113301106035504080c0a4e6577204a65727365793114301206035504070c0b4a657273657920436974793121301f06035504090c183532352057617368696e67746f6e20426f756c657661726431223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100b955ac4b449fee58fa6314876ead56819f17569e8d4fad77698ce21a7c28bfd3d50eb1b77023e54d202eca50e13f4b23eb336fbff44bc2537045bc50687f524781a5a47057dc2761e531664acd1167f8f62c60a49cf4473093b3a12a975d70f60d7d9fbac2336f534bdfae2fff191321ae2f794998ab4f71ffc28537a7a820dbacdaa03ae83b8fe264825baab754a460ecdb41f1e1eac9f3c07492520bdffeee31b2ccbb79f9ac3151569e506665437d470c977082490dd030d0fc6c0e6480470f95b41e47ef7933677fa03e67493d7e855002755a41338060853cc34249fab73c233515b179384b7198bb91d33d8294664d329f251f6510828aba15f4311fef0203010001a38201a33082019f301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604142e10c21ad189ebcb079c83f277d898c9144ade08300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30180603551d110411300f810d636140636f6d6f646f2e636f6d300d06092a864886f70d01010505000382010100ac5ef51daeb71d81e2741745d8959c9a87d731ec7883d97033d6c2d2907b6a47c20bb79300888a341d66a43e7dd399cc52e7fa6695e8aa9a933f8bcb76dee802e1def8c6ac4153514d3793188130b1388baa405f4c8d3710c1a1333f666a0a9eed5844fef4e266a15f8785fff19f6c1e6f1304a7b9dfbd518477e39bf4ce32ebc5931519123198e35b754a77f0e6776046004e9d1b4b55f7bb0580583a605934affb7416f499a1a1fdc31b30cd9ec46e04764b5fb45a19257d971d7120f28bf81ee6e1a82720653d58a45694b395f7ae64a7d7712d9b127d0051903d96462314fc35e9091e08736f9e25be120d3b4bc28a443c5315c06cef5522a4d2c97d3d04	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\31D019FC7AB697D57D9C4AFB340ED7C4D10400DF	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\76FBABF1EADED3B91DD7A76A6678301F1F87AA97	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E35E6F46A1A9A4D18A4DAA298BDA4D1E8879236E	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB\Blob = 0f0000000100000020000000ed55f82e1444f79ca9dce826846fdc4e0ea3859e3d26efef412d2fff0c7c8e6c030000000100000014000000f8db7e1c16f1ffd4aaad4aad8dff0f2445184aeb20000000010000000906000030820605308203eda0030201020210078f0a9d03df119e434e4fec1bf0235a300d06092a864886f70d01010b0500308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f726974792032303134301e170d3134303532383136343334365a170d3339303532383136353134385a308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f72697479203230313430820222300d06092a864886f70d01010105000382020f003082020a0282020100c20f7f6d49bb39f04d943fe8fb4dc5eb3be1285ab9892a467ea5c333271d82893feb33a1876aeae882b9dac39d77d135c0cb833672a6571912bc15e2c83c7b83623414d5abb6de368ba15a71a65196a70633b3221d146253c2a5af9a40cabe2c485499e72a9368a769190b99693bc1b2acae94dc5fab7e02cade3ca774a68c10a0e5aeb69c35ef838b10e5972aba916b9a6a4595d9d054718e653fc48a53ca1e38470ae9d04184a5da1e66016504e6505b7735f5b42e29320cc6bf5f61ee3220b77c39f911faff605efec669f46f1e1ded1d06e7651e9a112e6344065f31431733e9a32682d44b83124fd2a126032548e13abd84f58ad5b46e1ae871200e45530167ade31e6be8b2e4abfdf53b8eba67af5984cc5c75d09daa5c72c42636a2ac324c6ab1f8331744d2a77d70eeeb70949abceaba1c104b635b38ddd2254504b2f0b35a7c0b0a8e21406437114d96694533e493839ef9b3b51c2b0571ea6dcce748b6b6de805010ca4938b35905704ebd9e880222586489eb40dab12d2d6a40885d23c33ed0f5d5b7908a28543962a2c5c6b1bf74cd8695f9456bccf207eaac5cd336f7a27ab5b472532a063ec337945858b14a71bb5ccd9cb2af109ad943363e528519e7422891118c8ce7bbdfe6c855087375f3960d86b7d2e506b2c08a54a86177207d6cd1feba68f3454aaf1184eb867d2f04f354ea20ffd5db3d250270870203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604148570009f77591e8cac3c9f77262819cc9ac18f32301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201004f2574bd1f624f5f0ff74222d7d1d65304232ec5d5d7072b6b793b5f6d90ed1355d382f1f5028f3ef996267e0d421876fc6055825a86bd113339690fcee0b02bf15d19dfd8d2fa86a4cccdacf0d0ae9a8b2b248f03c1350d20b3dfc742ea77292e0a12fc0b1a458dd931840d8d02c0acfad212bf1e6a343eea8300a348754e72662da1a5129f37a85d4a7759cfd63afc30c5a609a5bfb108e3fb2c9f76c4fb4e611d6d23f3766985eb49bb0df73dd0aa05bcdd3d6e80445ed99a68ecc989c7e61a18f860a0e78cf6e6516f0ee025b863f9f9c20b8c3c9cb2f042cdbec3f5fe4929559c5e8696fba1ed6d2686e8b8208b5cc6e72d31c5aaca7d4b7da059a41efb5071e9afcfd6aa0d99de8e95269731a5f47f6df46815b8e3f7add8efd13875025ffd6d4efcb6fc2f451ba9cad11e7aff75181536c120e45f483a95eb7be4f5f6f4fec94b21a2a9ea8a9925cbe8444090d539b46b239b52bcc0c17e17666e650bf5741596a866ed856854b224e87588644589853c7a656b96e0f259ea4725660f6a1b0c3fd44ae64b26174709fed4d7b8e0cee72f94ad808b6770ccb77bcf1b2bb9d15bbdb8035cb1f01b412ce6535516e74a0e41089937e2a9d76d0e6a45e5ece388a9fdb69bc32820ceabc2936b516553bfa05e7b9d26349a514c8ca638d5865b3c55ee50ec000bcaacdcca10abdf189bd2ac0c8d084515af8535355ae526bc	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\98D9D6CB8497105298536D86E468DD0323DCF318\Blob = 0f000000010000001400000090a2410adcf68db8c38f4069ff4c49d5eb93731803000000010000001400000098d9d6cb8497105298536d86e468dd0323dcf318200000000100000001050000308204fd308203e5a003020102021015f007bd5f4ef8079892414f2c01d1d1300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293034312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303034204341301e170d3039303333313030303030305a170d3130303333313233353935395a3081c0310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a6572736579204369747931223020060355040a1419436f6d6f646f20536563757269747920536f6c7574696f6e73313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e2076323122302006035504031419436f6d6f646f20536563757269747920536f6c7574696f6e7330819f300d06092a864886f70d010101050003818d0030818902818100c98a30777f1383df7fd5858ac100e27deaaae1b334d290c2f5c80caf0da0fe0d867093e41a8306582d1645f3227c76e9dd517915d9d934df581873f4e8eb1707eef36402f320aba6fd4a31baecafa515473ea7d7b18275b9527cae10747f2468640e050a260064328393b7ba7a6372af443b24d461e4465c80ab1f720a4936890203010001a382017f3082017b30090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f435343332d323030342d63726c2e766572697369676e2e636f6d2f435343332d323030342e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f435343332d323030342d6169612e766572697369676e2e636f6d2f435343332d323030342d6169612e636572301f0603551d2304183016801408f551e8fbfe3d3d64367c68cf5b78a8dfb9c537301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d0101050500038201010010da5f375376fdc6aef5a9771878d640588ecb4348af3ce8d157fcc3bd313d17d24f3f0cd56417b74cdccd93fefc71f5391c3851ecda633dfb854a4426927cf1cabf5b0577c0e435588889cffa768ee31961b70b287fabcc46d8cd97fcbc6ccb05ebf4bb866693936cfc04e39da95a03002b85ef6136029cf1abd2a645daf6fcaf8f656f52ce020a9c7cb50efd0c7a8870064e739588be196d11a51009ddd1b14ebfa77674f5a83a6fcc3e4944de515fc63bb1f09d4af60412df166dac76f6ffce977a3672c75d234bb6720b86a0e8d7e34070af8ce063ec686463596c71f3eb61bed40332a588f7e2a3a99da776af16bc94e218fdc5af008a304a716c73f624	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8D170F91DE1907BF03CD9F1DEBFEF61E3D3670CC	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c00000001000000040000000010000019000000010000001000000082218ffb91733e64136be5719f57c3a1030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df10400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F89A37FB24B0417D93BFB760B12121F5A358F9D9\Blob = 030000000100000014000000f89a37fb24b0417d93bfb760b12121f5a358f9d920000000010000004e0500003082054a30820432a0030201020210474bf5dfd0395ca926b2f2367e46dce8300d06092a864886f70d0101050500307b310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643121301f06035504031318434f4d4f444f20436f6465205369676e696e672043412032301e170d3136303130343030303030305a170d3136313233313233353935395a3081b9310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303117301506035504090c0e313235352042726f61642053742e31223020060355040a0c19436f6d6f646f20536563757269747920536f6c7574696f6e733122302006035504030c19436f6d6f646f20536563757269747920536f6c7574696f6e7330820122300d06092a864886f70d01010105000382010f003082010a0282010100b512f8d9138a6e9889f0afac2c1f2402e9fe96acc0b45a85110b39d9d8de6998199750cb863df84a12796591b7f5426bc0f101c0b6afd1bd5e1f14e4c9805e4f6eab19b893342a581e832bcd90776a9eca9ed04acf2776b4e4bcea4f31824e76dd03fd1ad5376c1bfa095b474350ad21c618884680acf98350336c5c21308188bc942bcbdfc456828ea1fa7f1ae3e8b01a4756348120db21f6c32e0b968e65351c1f46db2a0e94fdcfb0e7e0ff8f26c26c1cb649602b0f1a2f5eb3a546f8e713831f6474d9f79c725cb32cfcbc9999520e2b8012fa758548bc909bc1c5adedd904af9ca03de0fbc0a45d7c5ebc571787e1e7d8ff5c8d627368997dce3beffb2b0203010001a382018930820185301f0603551d230418301680141ec5b12c7d87da02687c25bc0c07843fb6cfdef1301d0603551d0e041604141221ea3afddda8a617401cf0f7252824021e4559300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e63726c307206082b0601050507010104663064303c06082b060105050730028630687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f436f64655369676e696e674341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010505000382010100067db05f13966dfcef07fa46bc1de610588943d981e2f71f0035cf57df75efed23789498faf85c62ce1ed4f5e8415105ec7febfb50a26ff1c551f7e23ec81f2635b29f444a1db4780623ff96421e2019b125687b083921490d97cf2d281d1e44d114692c61df0da4ff82c7d8820e710879c644fea724977a52be3cb8135e3717d5eb144a07dea4a6a70087ccde43f7f62b8c8cced2887cc7e3b625e02e855840fb585a2066f2bf345a8ecf50a3a443250382cbe9e9177f5f666266a49c68262addcc6cfc25bd66601b5799e459318dcd250b0ddeac26f07e2126794054ff0f97cc84e70741601e7941f0a7a2d62a4ee10723215efcf93d3933517e87b00ef2b5	cfpconfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3F14CDC50FA95DFA78F9488E6A96FF0B4011F460\Blob = 0300000001000000140000003f14cdc50fa95dfa78f9488e6a96ff0b4011f46020000000010000005f0500003082055b30820443a0030201020210124ee46d5e92cc4dbd6ebf3acd2e7fd0300d06092a864886f70d01010b0500307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e67204341301e170d3137313231333030303030305a170d3138313231333233353935395a3081c4310b3009060355040613025553310e300c06035504110c0530373031333113301106035504080c0a4e6577204a65727365793110300e06035504070c07436c6966746f6e3112301006035504090c095375697465203130303116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7f0a04410f74dd9a1c24a14699f977551af2f528fe1a83b461da7a6d4e3099d5853b065396e990d9fa3c4ad1232128868cbebfc1aa5edf788f6d8aedb9ab5a82e923276061bb0d6980237f6dcdf8876f8bac93bc05edcaa0b8f93d0d03c132c8bf0a11bbaa16106732d636fab5f2710acd3711181454cf419d27f3078cda5c96ed284c2102ef8723e1e7510fbaa7fb3025a00d72f226fbcb69ea8192e7862f422fd83c221b77eb4953f1ad779765b2f8292004a11fd266bbcbbe0448fd199ce6a70e990ffdc11105bc4b92b1b90b82010ff56eb8daa434bd6405b519552649c4e136ae8c381171fe2d1a4e0522dbd2feecddc2cb40a01accc49b5bc55d59fb50203010001a382018d30820189301f0603551d23041830168014299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12301d0603551d0e0416041470cfd4fe3684b3c7eb2a7f08aae10493a839344d300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e63726c307406082b0601050507010104683066303e06082b060105050730028632687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010b0500038201010020d13cee9ecf43b51c1a9ef12f4ff2f85516a21fd1c4df41ef814d29d3113647e46e39dda693e0548c31f714e64b8176e537f6191407bb7f422a9bcc941f4a4703b0a508e29adb32b527f50b68e0294971778d1ccde7126f5536d488267cf7a0cdd83fb1e93af6b43fa6cbf4a2f01d6c8cf4a253c2c94f7518bf38efa43239155ef7b7bb4c139540d49af1ca750469f06f01c82d11b0f2fdfbdf3d9c778c8d23d2d40a66ce10d6e07a74955907a2937a6ba6a5dcd7071fb61e3ce34b610e03ca8e6c5a003da76d492fc19ee8666d237499f486b6b8d8a1da4f3052abee516491d09f9d687129f44ba62151e2656710b8dd9a7e9a19d1d4a91e9b6a642d5996b3	cfpconfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5F8EEAC5A0127025E936C01493D1C11D5012BA4	cmdagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E35E6F46A1A9A4D18A4DAA298BDA4D1E8879236E	cmdagent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\31D019FC7AB697D57D9C4AFB340ED7C4D10400DF\Blob = 0f0000000100000020000000c6dcba6192a502eb4e7caebea466be00c8abbf2269740faa6156a5341ba0a2be03000000010000001400000031d019fc7ab697d57d9c4afb340ed7c4d10400df2000000001000000250600003082062130820509a00302010202101b427b060e2866bfb586cc267e1c3eaa300d06092a864886f70d01010b0500308191310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564313730350603550403132e434f4d4f444f2052534120457874656e6465642056616c69646174696f6e20436f6465205369676e696e67204341301e170d3138313230343030303030305a170d3231313230333233353935395a308201093110300e060355040513073339313038303531133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b3009060355040613025553310e300c06035504110c053037303133310b300906035504080c024e4a3110300e06035504070c07436c6966746f6e3116301406035504090c0d313235352042726f616420537431283026060355040a0c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e3128302606035504030c1f436f6d6f646f20536563757269747920536f6c7574696f6e732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad390c8bc919005d5894a91a9585ef887fbd7c2341ff5ebb3efc6f645a66c55e6da11febce740e53ed9416284dfc7d142e4dc21f99753b5f60ae9aadc764b59efd9ffd33b20ae1c54eba629408a1b095a59cf4af0ad9db9bc494250154dcd0edefcec62e4b248d9a793b703aa15255baf3553fa59d4dc558ba4303af630bb626cd6627e0c4a45764ec3b286c38ab2499f9dc13eefdffa7841297ff533b47061b9aa3ff09ee3f04a7b10ba70894e53f3352b1f60eddfc021a66546e3392795bb6ae49a92f189ec2a7cdd9a935fab33a5ce7fc16c4b7e8ca13b4551d38a6a7c0658298a5adf5f6796675f58e1bb4ce410ff704bc5e845bc1ef83c18a0d50e137370203010001a38201f8308201f4301f0603551d23041830168014df8ff3200ce9caa604d85b58372a3dab46dc8349301d0603551d0e041604142d99b81962209042dc650eb36ec07ad996e48c4d300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010601302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e636f6d2f43505330550603551d1f044e304c304aa048a0468644687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e63726c30818606082b06010505070101047a3078305006082b060105050730028644687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341457874656e64656456616c69646174696f6e436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30440603551d11043d303ba02306082b06010505070803a01730150c1355532d44454c41574152452d33393130383035811473636f742e7765697240636f6d6f646f2e636f6d300d06092a864886f70d01010b050003820101007f4d3e6594a3e380fac36b00e97ccacce4786be2ecc13cf37e737aaca0328bb8bfdcd513daff94aba1c7ee00cc8a3bd073157a812f6e31f772781d0bb922a8b86932b296c2312cdf3b239c42bb443b4b1b89b36de34a7fae65ac63eb6ead8812f8d373fa6f1a4e8d9e62eb004caae3639e41e08ed48d640b04725b09b4411dc083587e7fe24b33d90677677960efa6299cc85c4b2bfae4cdfe36581d25e029f6af1a7e77f502882d87597f3cc5bb450a71f9fd57f43b321baa4cbe5213a48a2c5b785a9de4103d5029e4db79403e98784e51379d45a86996b183469e98470731d1a603eaa443a05527aca62f51631722dc0dfe5d74c8298d2aed885d34c9be61	cmdagent.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4540	offlineinstaller.exe
4540	offlineinstaller.exe
4540	offlineinstaller.exe
4540	offlineinstaller.exe
2200	msiexec.exe
2200	msiexec.exe
4652	cmdagent.exe
4652	cmdagent.exe
2200	msiexec.exe
2200	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4540	offlineinstaller.exe
Token: SeIncreaseQuotaPrivilege	4540	offlineinstaller.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeCreateTokenPrivilege	4540	offlineinstaller.exe
Token: SeAssignPrimaryTokenPrivilege	4540	offlineinstaller.exe
Token: SeLockMemoryPrivilege	4540	offlineinstaller.exe
Token: SeIncreaseQuotaPrivilege	4540	offlineinstaller.exe
Token: SeMachineAccountPrivilege	4540	offlineinstaller.exe
Token: SeTcbPrivilege	4540	offlineinstaller.exe
Token: SeSecurityPrivilege	4540	offlineinstaller.exe
Token: SeTakeOwnershipPrivilege	4540	offlineinstaller.exe
Token: SeLoadDriverPrivilege	4540	offlineinstaller.exe
Token: SeSystemProfilePrivilege	4540	offlineinstaller.exe
Token: SeSystemtimePrivilege	4540	offlineinstaller.exe
Token: SeProfSingleProcessPrivilege	4540	offlineinstaller.exe
Token: SeIncBasePriorityPrivilege	4540	offlineinstaller.exe
Token: SeCreatePagefilePrivilege	4540	offlineinstaller.exe
Token: SeCreatePermanentPrivilege	4540	offlineinstaller.exe
Token: SeBackupPrivilege	4540	offlineinstaller.exe
Token: SeRestorePrivilege	4540	offlineinstaller.exe
Token: SeShutdownPrivilege	4540	offlineinstaller.exe
Token: SeDebugPrivilege	4540	offlineinstaller.exe
Token: SeAuditPrivilege	4540	offlineinstaller.exe
Token: SeSystemEnvironmentPrivilege	4540	offlineinstaller.exe
Token: SeChangeNotifyPrivilege	4540	offlineinstaller.exe
Token: SeRemoteShutdownPrivilege	4540	offlineinstaller.exe
Token: SeUndockPrivilege	4540	offlineinstaller.exe
Token: SeSyncAgentPrivilege	4540	offlineinstaller.exe
Token: SeEnableDelegationPrivilege	4540	offlineinstaller.exe
Token: SeManageVolumePrivilege	4540	offlineinstaller.exe
Token: SeImpersonatePrivilege	4540	offlineinstaller.exe
Token: SeCreateGlobalPrivilege	4540	offlineinstaller.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	5068	MsiExec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	5068	MsiExec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	5068	MsiExec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	4224	MsiExec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	4224	MsiExec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	4404	vssvc.exe
Token: SeRestorePrivilege	4404	vssvc.exe
Token: SeAuditPrivilege	4404	vssvc.exe
Token: SeBackupPrivilege	3216	MSI20BD.tmp
Token: SeRestorePrivilege	3216	MSI20BD.tmp
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	4224	MsiExec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	4224	MsiExec.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4540	916	installer_Win8_Win11_x64_24c29276a3b22.exe	79
PID 916 wrote to memory of 4540	916	installer_Win8_Win11_x64_24c29276a3b22.exe	79
PID 916 wrote to memory of 4540	916	installer_Win8_Win11_x64_24c29276a3b22.exe	79
PID 2200 wrote to memory of 5068	2200	msiexec.exe	87
PID 2200 wrote to memory of 5068	2200	msiexec.exe	87
PID 2200 wrote to memory of 4224	2200	msiexec.exe	89
PID 2200 wrote to memory of 4224	2200	msiexec.exe	89
PID 2200 wrote to memory of 3528	2200	msiexec.exe	90
PID 2200 wrote to memory of 3528	2200	msiexec.exe	90
PID 3528 wrote to memory of 3216	3528	MSI20BD.tmp	91
PID 3528 wrote to memory of 3216	3528	MSI20BD.tmp	91
PID 3216 wrote to memory of 4392	3216	MSI20BD.tmp	95
PID 3216 wrote to memory of 4392	3216	MSI20BD.tmp	95
PID 4224 wrote to memory of 5028	4224	MsiExec.exe	97
PID 4224 wrote to memory of 5028	4224	MsiExec.exe	97
PID 5028 wrote to memory of 2252	5028	cfpconfg.exe	98
PID 5028 wrote to memory of 2252	5028	cfpconfg.exe	98
PID 5028 wrote to memory of 3944	5028	cfpconfg.exe	99
PID 5028 wrote to memory of 3944	5028	cfpconfg.exe	99
PID 3944 wrote to memory of 2560	3944	runonce.exe	100
PID 3944 wrote to memory of 2560	3944	runonce.exe	100
PID 5028 wrote to memory of 396	5028	cfpconfg.exe	102
PID 5028 wrote to memory of 396	5028	cfpconfg.exe	102
PID 396 wrote to memory of 1188	396	runonce.exe	103
PID 396 wrote to memory of 1188	396	runonce.exe	103
PID 4652 wrote to memory of 1984	4652	cmdagent.exe	107
PID 4652 wrote to memory of 1984	4652	cmdagent.exe	107
PID 2200 wrote to memory of 3636	2200	msiexec.exe	109
PID 2200 wrote to memory of 3636	2200	msiexec.exe	109
PID 2200 wrote to memory of 3636	2200	msiexec.exe	109
PID 2200 wrote to memory of 4028	2200	msiexec.exe	110
PID 2200 wrote to memory of 4028	2200	msiexec.exe	110
PID 2200 wrote to memory of 3160	2200	msiexec.exe	111
PID 2200 wrote to memory of 3160	2200	msiexec.exe	111
PID 2200 wrote to memory of 3160	2200	msiexec.exe	111
PID 2200 wrote to memory of 4460	2200	msiexec.exe	112
PID 2200 wrote to memory of 4460	2200	msiexec.exe	112
PID 2200 wrote to memory of 952	2200	msiexec.exe	113
PID 2200 wrote to memory of 952	2200	msiexec.exe	113
PID 2200 wrote to memory of 3204	2200	msiexec.exe	114
PID 2200 wrote to memory of 3204	2200	msiexec.exe	114
PID 2200 wrote to memory of 1976	2200	msiexec.exe	115
PID 2200 wrote to memory of 1976	2200	msiexec.exe	115
PID 2200 wrote to memory of 1664	2200	msiexec.exe	116
PID 2200 wrote to memory of 1664	2200	msiexec.exe	116
PID 2200 wrote to memory of 3868	2200	msiexec.exe	117
PID 2200 wrote to memory of 3868	2200	msiexec.exe	117
PID 2200 wrote to memory of 3868	2200	msiexec.exe	117
PID 2200 wrote to memory of 4868	2200	msiexec.exe	118
PID 2200 wrote to memory of 4868	2200	msiexec.exe	118
PID 2200 wrote to memory of 4868	2200	msiexec.exe	118
PID 4868 wrote to memory of 728	4868	MsiExec.exe	119
PID 4868 wrote to memory of 728	4868	MsiExec.exe	119
PID 4868 wrote to memory of 728	4868	MsiExec.exe	119
PID 728 wrote to memory of 4472	728	cmd.exe	121
PID 728 wrote to memory of 4472	728	cmd.exe	121
PID 728 wrote to memory of 4472	728	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\installer_Win8_Win11_x64_24c29276a3b22.exe
"C:\Users\Admin\AppData\Local\Temp\installer_Win8_Win11_x64_24c29276a3b22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\tmp_24c29276a3b22c122abb6a74cd3ff4688bce62f6\offlineinstaller.exe
  /q /ra suppress /rm "Enter a message that the device owner will get before the reboot" /rt 300 /7orhigher /8orhigher /brand c
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Registers COM server for autorun
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 6B6D2DBED02C12F46073680249EEDD15
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 85B105C711EB5FD75D1A24F3B8313FFA E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
    "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --langID 1033 --msiinstall --installCertificates --osver 1000 --av --productguid=A5001C53-6E10-4BE1-BA52-D7B364531FB9 --upgradeBackuped= --createConfig "active=endpt;dplus=opt;esm=1;av=1;fw=0;cesav=1;cesfw=0;cessandbox=1;free=0;noalerts=0;cloud=1;sendstats=1;configfile=;fwstate=0;dfstate=0;avstate=0;bbstate=0;avservers=0;standalone=0;useblob=0;trustnewnets=0;"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Sets service image path in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks for any installed AV software in registry
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe
      "C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe" /Regserver
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      Modifies registry class
      PID:2252
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2560
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1188
- C:\Windows\Installer\MSI20BD.tmp
  "C:\Windows\Installer\MSI20BD.tmp" -rptype 0 -descr "Installing COMODO Client - Security " -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\Installer\MSI20BD.tmp
    "C:\Windows\Installer\MSI20BD.tmp" -rptype 0 -descr "Installing COMODO Client - Security " -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log" -working
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      4⤵
      PID:4392
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cmdcom32.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3636
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\AmsiProvider_x64.dll"
  2⤵
  - Registers COM server for autorun
  - Loads dropped DLL
  - Enumerates connected drives
  PID:4028
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\AmsiProvider_x86.dll"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  PID:3160
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll"
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  PID:4460
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll"
  2⤵
  - Registers COM server for autorun
  - Loads dropped DLL
  - Modifies registry class
  PID:952
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll"
  2⤵
  - Registers COM server for autorun
  - Loads dropped DLL
  PID:3204
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cmdcomps.dll"
  2⤵
  - Registers COM server for autorun
  - Loads dropped DLL
  - Modifies registry class
  PID:1976
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll"
  2⤵
  - Registers COM server for autorun
  - Loads dropped DLL
  - Modifies registry class
  PID:1664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 84D3BE739616CAB4C23EF338BB55A58F
  2⤵
  - Loads dropped DLL
  PID:3868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F020553935A8EE81A9BAA8CBCDB5D3BA E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"
      4⤵
      Executes dropped EXE
      PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        5⤵
        
        PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
"C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll"
  2⤵
  - Registers COM server for autorun
  - Loads dropped DLL
  - Modifies registry class
  PID:1984

C:\Program Files\COMODO\COMODO Internet Security\cmdprots.exe
"C:\Program Files\COMODO\COMODO Internet Security\cmdprots.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Modifies data under HKEY_USERS
PID:4012

C:\Program Files\COMODO\COMODO Internet Security\cmdicap.exe
"C:\Program Files\COMODO\COMODO Internet Security\cmdicap.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440

C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMonitor -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Enumerates connected drives
PID:4156

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe
"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"
1⤵
PID:2420
- C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"
  2⤵
  PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

Filesize
6.0MB

MD5
6ccf174c3e4c22ead7116e975fd8efd2

SHA1
21962d2bf76ac2b60465e59ec477763cea8c5748

SHA256
2842126694568703e55e2c30b4bfcb64d9c4d9ce2bbc2a6724851e22bd6093f7

SHA512
ed6885ac653187c8eca44b6104afa06b12e8525033c59b88a75e179286955e028a540be52746479b7116fc2b745178d15a37de7cc31df14825a210303b65d462

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cfpver.dat

Filesize
14B

MD5
69afe3369926f31ecf66590cbc3078b2

SHA1
b307496b6ff4be48a0bb1e787f9d69c2eade63bf

SHA256
46181be866a79cab6188b1b52035aefdb16d7784d93c6f8b7a04c1c4053004ff

SHA512
bce5b3e39f79e20cc4424de7b68de136dce40940e393c90d07b241435b5c2af8f65d0c7e970fd07dfb2f49bb360a495c56944acd952acfeb66bb1a80615c1d17

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe

Filesize
251KB

MD5
7100a47458e0615c16a9dab4b6f17b05

SHA1
794bc40b937904d80d767225d41e11c6dbae4239

SHA256
ff75c897e2cebe6ce92cb09270bd162a3b79eb73236ad33ad986216e5ce502b9

SHA512
81fd12211afe18e78d561f628c5abd0d6d290ddb435acfd41af7621e58288a09adb642ebaf133c85a8cb5d989ccaa6cef7886ce4cf1ceb011940ea2a6b2b52d4

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe

Filesize
251KB

MD5
7100a47458e0615c16a9dab4b6f17b05

SHA1
794bc40b937904d80d767225d41e11c6dbae4239

SHA256
ff75c897e2cebe6ce92cb09270bd162a3b79eb73236ad33ad986216e5ce502b9

SHA512
81fd12211afe18e78d561f628c5abd0d6d290ddb435acfd41af7621e58288a09adb642ebaf133c85a8cb5d989ccaa6cef7886ce4cf1ceb011940ea2a6b2b52d4

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cmdres.DLL

Filesize
481KB

MD5
1718f6ce41dfc9a2b4a6000650e81307

SHA1
222f6a3ad489efe2dc5b97d6072180ac173abee2

SHA256
93dec0d87779da628e27f8cbf36cf6179dd435254bfaa6bb85017b00a7b47cd6

SHA512
2694f7db96a0d93b81a1ea0c1a127fc449b12a76c7064a8284730c5412755d04d6df7c1376544a99c3237641013fb9d137638a6b95dc1f5166c08156acd2825c

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cmdres.dll

Filesize
481KB

MD5
1718f6ce41dfc9a2b4a6000650e81307

SHA1
222f6a3ad489efe2dc5b97d6072180ac173abee2

SHA256
93dec0d87779da628e27f8cbf36cf6179dd435254bfaa6bb85017b00a7b47cd6

SHA512
2694f7db96a0d93b81a1ea0c1a127fc449b12a76c7064a8284730c5412755d04d6df7c1376544a99c3237641013fb9d137638a6b95dc1f5166c08156acd2825c

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\cesguard.inf

Filesize
4KB

MD5
b327b2701eb12f28d1467d517488721e

SHA1
f0f11ac7b83e2fa2918a3ac1e163453bed2e1f68

SHA256
98d599432d696b3f555bbe1d61bd85782ca04aed1a27485cbfb0ace552caa963

SHA512
ca25173e5679163e533a45646c7f3f564c53af6e676d7f93a8c00a65f4384eb8cf7670b3a733a72b610959478e41295427ec954969d5cca457b0b42bb46d74ad

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\msica.dll

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\msica.dll

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.arabic.lang

Filesize
378KB

MD5
02208f0cb53087fd2939682d09eb4c2a

SHA1
044fb5e7d63e6d3addfa221ec98580c1c2ce976a

SHA256
6cecd7c114f0255a88165b4708d63007790d7c85183ce19601cfd0b7905e65c2

SHA512
33da6444d28694a4e264bd4d909bb563905a458cab8f16e7af5dc64a8c7763912c46c2b7a08afa75a5d5eede4284ff3c62175a68a572cfc1eaf430f982a1bb1a

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.brazilian.lang

Filesize
326KB

MD5
11feea9fad47f94faf018e6fb759d975

SHA1
b29513bd829d086725ceffce2a22d4850bb9ed15

SHA256
dc7624ee5629a76ebb6c02624ba462f328ac4a321b87c2c1edfb1577e3a5d488

SHA512
c4d6a0ce14f3ba4c942d962a12b97ac9520752a5842db09885e2974c0c0175b3ada0206f1370ae09bbcfc4876f888fbf1d32c9e4b014256169afecbc19b0310b

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.bulgarian.lang

Filesize
428KB

MD5
36478171a94170f0e7bc36bf6e1b22b7

SHA1
eeb23d4aa01d4e059e52ac9e7f74dcd6af733695

SHA256
12644bf30fddcf7dce31d7089423d15e91c7815d76d31a185e068a5e251b28e0

SHA512
2bc16ade783440b4e6995779faa6b10a8d0c3d4879af468d560a07a69ca166ac2f24f13962ff6af3b30b9f8a9ed3e42a20d912c64b6ab3bbdd02b2ace64b015c

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.chinese.lang

Filesize
295KB

MD5
5488acf81f6c2e8e6469a684a410fec1

SHA1
772a5b8e9e25f6fc3b531940d88237f4ea576bdb

SHA256
3671610a6fc2bd9f4cbe39e0ff65922fbe2108f74b2769f7e5359307d0648a1c

SHA512
c375a299c459d4bc408ce17254313134f61942e8abbac58ca49c9546699fa97c5b7dcdbfa14c4d581fb35e1ce4d0fafc8490b05805769523064a43149030109a

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.chinesetraditional.lang

Filesize
296KB

MD5
187a78d89744749675fd6f42609c8f40

SHA1
502939cb7f6e4ded0f0cfd14f1101e0773d0abb9

SHA256
e62aaef303765d91165c0514f3d91ab6968199774d1122c2252df15ab809ffb5

SHA512
409630d0acb63ebe761144a351ed5d0e1e5ba2b254ddcc2028998f5d4c46ab5a23bc8dcba18fe2872fea4c6d4d85bc25b0f33c0141be0aa48e9d11eee6130839

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.croatian.lang

Filesize
311KB

MD5
8b098c1f001a8063db4173ba4560fdee

SHA1
c99be1b14a3ad0b59bfcb5f78168174bdb170960

SHA256
60eae8965186df9af57ebf8e8da306c24697aa07eeb7df96902a444f33d25b15

SHA512
4e026dd0bc6e7553f7e1a7fc10282868edcdc8c8b0500b492a8cb24a0f3c95789648ed10c52621e53b89932d2d333215e48e0ff38657d1507f8d3c55c9468746

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.czech.lang

Filesize
320KB

MD5
be6024e32833d64d5b12b019bc6293a4

SHA1
68c7be7b28fc504c5483b3e48a20580674f70c07

SHA256
55b33e274b861add6aa9b28de20139dd21e7ff8be7637effeed2a6b9290fc0ba

SHA512
251723917472a7e956194061330006a3d0b5d3700a23b5a584020354cf91b59c894e25d43ab009276f51e74920ae935e209283f97a6b009c70db47c09e676097

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.danish.lang

Filesize
315KB

MD5
298837925c70f7efa0317fa86b380d5a

SHA1
68bcc2f6f3aac1dbc0f34242235423cea6200d6f

SHA256
f4b5896ee9b664a3bdb4ed9effb7e8a81bad5051b3b57e5cf7ff7b20eef9fff0

SHA512
3ab8284d89d87b98514647eac863bf7fcbedc4b1143cf0f3b1e2a0f7395daad2aaa5db54eada8caf248abcb495a6ba46d5ce0cbae87a4c37c4329462b82c0584

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.dutch.lang

Filesize
319KB

MD5
8e89a07699962168d42ab680057857c8

SHA1
79a242a5344293a89bb01f24b5f92f43cd8dc4b9

SHA256
82ed7b8389fc637a8821b0ba77340607c0694dfc666e41a6be7dda442e53c754

SHA512
097b3822a41612c1ce65a78ffb6178aeb2c47163a51d96218a5153f6efe61c3aab84087cfe432548d86c5d220f33083962cb6004db3c3bf28308a20c64f202a9

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.estonian.lang

Filesize
311KB

MD5
509cbae25f8c41165a0a8d31300bd026

SHA1
4bdb8f268241bbd406e538acc6b90de0be7fead9

SHA256
3eeb850df0e1e277620f39edb117d7908e12a01815145dd6d591c28089d8aeca

SHA512
d7893c55aca92305b5789698e342ea24f44a173731fd06c53ae3c392f2185369494dec6a790212b87dce423e4a868049f3abf42b8bd26e7382067a2ba11415c1

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.french.lang

Filesize
336KB

MD5
fe8fd2507a874b82166722896f535e7b

SHA1
5903b8f358cb0d9cbe4173446492532b47304092

SHA256
5fa17482c92f197f76aa0a6bcf5e2d8e0ee28e50006849c6f284c1ff66b1f194

SHA512
4055621ed8357297de689ceea9103fa0f2f6384b3eef3151f76e1fdc3b9d616a07c89996f76dac70380fbd0183f58f4a0f8541f9da15f03cdbfe6e0d9af4725a

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.german.lang

Filesize
330KB

MD5
52c5cc543c06f12b124475d58d85bcb9

SHA1
10d63a7a8f6719d106ec46753cdebb72f553f985

SHA256
347192dff4cf69a024028b9d07cb3cc040e3a04afea47da95d71c738de1bf9ed

SHA512
384cd98f21fac7d80618d1fc9e00688b83e9de43f176f176ec191220752344d87e5e8453b1d64d19dd855d2769d796a0385c78d29804d6af79d30e61086d6a2f

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.greek.lang

Filesize
428KB

MD5
ce680cb1f430cb94d9c209816f95b64d

SHA1
0b152444b3bfbf01ad2354c23ea0c969827fceed

SHA256
69abb930bf711040aa9141aa8bbcce8d4e4fed0a4c3398af3f6ae7cb4149f662

SHA512
f98f607fd9170c71f6dd706fddbe9e2c20cc4d728e7d70361e5a4e9630c760a65092a117d61bba24412539a5b756180b6e598565333eaff8f29d31255ae59b62

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.hungarian.lang

Filesize
331KB

MD5
4d782a9a60235763fb88f6cda1cf41eb

SHA1
3d685a6f77a0a1b5229e468f1b0304e280b9d6d2

SHA256
2d8cd14b903d6539dc19e7478ab8d98ec51a12027c374976ad48f7b78a80c8cb

SHA512
857ecdc4b7a8c819c81542e606a753f97ac3e7cd2c1501952170d3321b67330cbbfaa3d26325c5e8983e950f1736f074254fb3eb2de27f4738dc6d436acec1e9

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.italian.lang

Filesize
324KB

MD5
80f6537e71baef42cb909a6f079c576c

SHA1
973d8e96d441b1b4045481764f265bd2db255699

SHA256
e4d1bd5bc1039623d0b49ec0a408a799d8f8206b48604b47d6c3d7df55a444b9

SHA512
7c11ac4f788c157f947ae840bd8a6e14c2d398e9b035fc821bcccf41f5434f15f80f341c6f8981f714bb95bbd206bdb414311476f487d0e517c87ff0ed94b649

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.japanese.lang

Filesize
375KB

MD5
9d74000e20b05196348664356902d841

SHA1
9eaf7d6d0f105d1c9978bdd829f449f335123031

SHA256
85815890f8d840c544f8536e1e9501fb348c71db59bcc1997514bb5de7c4a71c

SHA512
d48fe46f9b08f1479cc811f6ac76399fdfccc57cbf85039fe8e043adb52e5460f38e2a545b6500a5c13b8125d7dc026bcafd00beb5171007b7e0719e55f68e0c

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.koren.lang

Filesize
330KB

MD5
4d3d3b9d9054d805d9a574a9246bc534

SHA1
a39e7cdfb50fee8c5bf44fede840e0ba3bb2059b

SHA256
d11063df262e9b7c6331ed817879a73eed97526b05a753609bb0c5f51c76c189

SHA512
6e2218da9a2eaf805d0074dd58d2b17af1b55c930ecfcd48313b723385f8ae10aecfaba12fdc13bcd6c86a63f927a1c58bc697c9a161ed21dde148b38b37c510

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.persian.lang

Filesize
380KB

MD5
5ed429a001f0c24480fcda8087802982

SHA1
20a318154e7c7f5bccf67bac85f984d89cdbc1c9

SHA256
3e16eb0810c44f1cc649211d785e5370c94f5bf4a438c4800b1724196a1deaf5

SHA512
e0a30bc2b386f2d77d7e9832d5bf92ffb0cad3242873f680255bb93dbbffed290e1656e49858004e9abb6ca2b1e22b92adf518e14357cf092a0c9196014c8d54

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.polish.lang

Filesize
324KB

MD5
335997e150d5d56b705aa016b2aabbcc

SHA1
73c3311dd8b1d8226050e478d8a03ad680a2e782

SHA256
d82c67908d573d74c3d7f0c3619ce40f342b43a508cf4c4a8a98a5eecf98dd23

SHA512
d7aa9bfa740d8491238b99ac0ba6c45d835ab22cb84d56d81333bfdfc1f9871e467163d727974b8af9de4de104d447256594d2df13fb5a610e32e6d410ea42c0

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.romanian.lang

Filesize
330KB

MD5
bb9380125a7cf7f8bb41314653e4b01d

SHA1
f277f84fc5a881a225dc4a1a9285287e0d5c7302

SHA256
f6f697164a23275ade5ebba60873bfe710087a8375d60efd921df70a375ffe46

SHA512
9ea322f972005690536e609f2b672dc157e9aa486ed3f436340c58c33390f1d1b64d194cd729e9f844bbea5a74a7997e040c2bbb15056bf469caea850b724584

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.russian.lang

Filesize
433KB

MD5
38f161cf8a2278adf355264ed2ceb964

SHA1
eb2bdacc4d7a5a3d9645600ebcbbad08d6d3726a

SHA256
2f19d8260c07f9a8bd846c7eaa892213efce811c76622fa01ea87fbd407d3bf0

SHA512
3326b7186b4994014511f42d248c410931844d3d17e499400ffb3c3efde5547606680ff42af2eb27231524004c02b436e4465b784493c9cd47473e56c54086c6

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.serbian.lang

Filesize
383KB

MD5
16471ad480c6347953e1dddf58cf95f0

SHA1
279c4d28b44127b14b3f5aefd9b8256520ee2776

SHA256
b51f0092b8904a215a1ea64d4f3ce8bc00d998b2ef4da1ef78affdf489a65efe

SHA512
d6f4d19d69dda1f3680a777b1d5c55c5dec5013d8cd32842b1721b50c9399ada7fb7c923ce49caecaba5b0aa7fbb5ed593a072d1c2f712c871952919cc7b6ce2

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.spanish.lang

Filesize
330KB

MD5
0ba7cfba2037d5838f0fc92b13d6c8a5

SHA1
98e5ef7c3bd6e7f74a6cc96467a9cd9d9282b3c7

SHA256
80dc88e8b48b581f428e1913e0db3a371ed9381a343ec54ea4ff5638c8317f2b

SHA512
7675853482adb1a8e8d0a93f0fe03687984648f6105441bcf3fc444832832c61c89bccbe042ab799def7e6a85d61b851f546e9210a2753b4e384e2d8cfa861bc

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.swedish.lang

Filesize
314KB

MD5
728b50c54027393590499a6a8d457698

SHA1
b7268378870c7c36bba06a8966a99c0a0934addf

SHA256
e07670d19869946921f51274c7f9eaff3dd4c74781552e08cff847f61a9d249f

SHA512
db973c1d9160a0efabb8a76482e9f48871f372342394bfa5b75b543e1e4fa679cb10e4bc9955b34c26c1d1f061c3331a6e603351e7afaaa5b606b16254d3e2e2

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.turkish.lang

Filesize
327KB

MD5
238032201e4ea3eb96dfef82af7d9104

SHA1
0b1d13c8279a835ebeeb6f6e4ceb2cb10a44ead2

SHA256
f23c813ef1465e9ea61e90cee75d9cefde3685478104757664f40d44c57681d7

SHA512
ab7b1101b5e625b393c7af04453ab537a6df1da01214d3ae346d60924572cd963e525f08ee94d5722267b40bdbcfbea7fd16ef6abc8f807d7e65d73c42b4c909

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.ukrainian.lang

Filesize
425KB

MD5
611120fcf82c6f2c4d9d67fd0bf801e9

SHA1
2ca095187ebabe6c6068fea582c28411e41a37eb

SHA256
b58f3cd4de3b06eb526a7cd441850cf9de5e5f89f498883ed1c2e4bbd7846942

SHA512
f51cb55424a79d3e3a4b8b64d2d7f4998da5e1bef7ab09efcac448be97b1f8a69247990f16a6df47ed1d9946ccba82cb119255bba78f31fbbe2fc5577300856f

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\translations\cmdres.vietnamese.lang

Filesize
344KB

MD5
262d547163890fb8c60781ab1df32776

SHA1
ea7049cdde07471463299d4864c9d55d9c617376

SHA256
17c6d84e7d0d13f71480f417e9ae2362e77707b2c648ea14d77e2249687f1b9e

SHA512
e6563c4128d0968beca20cab6f3bba13be7202c4401641bc3560b6d0279be26721f893d7d674e240813ff6da8edfc675e2270231bcda6c19a63521b6d4d17c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
2KB

MD5
97e49fab213fce961440e3ec1d153892

SHA1
ef215f85ba6d416062de2dc696de6f19469071f5

SHA256
b929cb688a7b4c95d82cca064579a8675d14ea0758056b118e21b858059b810d

SHA512
6fc76c4a2cca1a53f17e2d515a88cb66a8392098c94a856f600b3f0f99503fef0ddf392e5f28a2f3e96403bcc36d87c477f34094e691dde026e726f8b5a8fd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
4KB

MD5
db1c6b2174db6763163c4566b9570d68

SHA1
8fa9ebde025f9634915c556c3780e16a7376b176

SHA256
623d4169b5a644d8afac6d3829dc22b05702a78f4bc7faabd7380aaec5223744

SHA512
b3284641791a69b606eafc95c02a424c09efa34d86d771464532f5f602263982d092563d3ebfaa8ba2c2a049a6d5e7bdca3eb967b8a1359b80787cf26b9a6c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
5KB

MD5
2e8c488ab2773d44ad32794833741be7

SHA1
3693e403f3f951c194df98ebd8819c67037dea8c

SHA256
13ed2df9f130d1c0bb3020ca408949c525a900760e09415cebaa036ec8ab6bbb

SHA512
7290c434e200d214db7b20cd8fc3cb11f8ac64bf6c6ae42907193b285f6f9e9e83baded12a5a853f3c446e68cd04badcd4fd7b343554cbd458b887d1f5038362

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
9KB

MD5
4fce5d1efd17eda3bb04db81cde2cc82

SHA1
cab2f1cd09e6a271ee4eb017d1b914d4256697e5

SHA256
e2a2463085dc7929bc4b6e406e5cc3f8d3bd1fb7597869bbdb10dbea522ece09

SHA512
31cd39dcd683a0754b03dba24ab80d85f4c19b7d7511f26a45a87b5c3672c50abbd3f5ffc7bdeb642e82b96c8573fffdf905b2221e9c786c0ab12bc050dff605

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_24c29276a3b22c122abb6a74cd3ff4688bce62f6\ces_x64.msi

Filesize
98.7MB

MD5
b67ab07f7d035bf8bd6520fc24740d2c

SHA1
0bb3c1247149009e4a5852b1c28ebe92b97dec5d

SHA256
ecdc8a3c5f3ed885242ae40e96f039c9f0e183155444ed3e510319f44c929f75

SHA512
debeb51552bd429e108c8e4b010ada1635a3b883983f78f62dfbb34610a16bcc35a671fa746404466e0957f1a5c688f2e565c90386225259ba67076918a74f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_24c29276a3b22c122abb6a74cd3ff4688bce62f6\offlineinstaller.exe

Filesize
249KB

MD5
cc56a58b2adf5ae4b777a9ce95c2e158

SHA1
7ea03b2c65d6b19bd8a1c7fdeefe0fe9f946c281

SHA256
284c0e52432dbe2fcc60beaa6c1368069d9cfce9bb1dd8596b1fdb8a82b247d2

SHA512
a7d4294bd3116a0f5e9fd5e91924a3708f3fdc06767319c14c817459fe7ed44ee16b0ac244195dd8e544444a9fa303df4021af6d8f68736006b32a2ef75d3aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_24c29276a3b22c122abb6a74cd3ff4688bce62f6\offlineinstaller.exe

Filesize
249KB

MD5
cc56a58b2adf5ae4b777a9ce95c2e158

SHA1
7ea03b2c65d6b19bd8a1c7fdeefe0fe9f946c281

SHA256
284c0e52432dbe2fcc60beaa6c1368069d9cfce9bb1dd8596b1fdb8a82b247d2

SHA512
a7d4294bd3116a0f5e9fd5e91924a3708f3fdc06767319c14c817459fe7ed44ee16b0ac244195dd8e544444a9fa303df4021af6d8f68736006b32a2ef75d3aae

Download Submit
C:\Windows\Installer\MSI1B67.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1B67.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1C05.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1C05.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1C15.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1C15.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1FF0.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI1FF0.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI20AC.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI20AC.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI20BD.tmp

Filesize
167KB

MD5
e2acda08f2a0a3e94ae3ac975db689fb

SHA1
6608c264da412a029b9a520fc5374f4892fa8aeb

SHA256
d304e21e3327c62cc5a7e268ce65416a10a39a8e879e128122ef0e904984728b

SHA512
ae3218519a30e4575ad34b0083c3aad8f02f899b1d4063c99e73f45d2d5a9282670189ce275ebc28f1a9e64942032df33e6ac837ccca8aae559739b79f689779

Download Submit
C:\Windows\Installer\MSI20BD.tmp

Filesize
167KB

MD5
e2acda08f2a0a3e94ae3ac975db689fb

SHA1
6608c264da412a029b9a520fc5374f4892fa8aeb

SHA256
d304e21e3327c62cc5a7e268ce65416a10a39a8e879e128122ef0e904984728b

SHA512
ae3218519a30e4575ad34b0083c3aad8f02f899b1d4063c99e73f45d2d5a9282670189ce275ebc28f1a9e64942032df33e6ac837ccca8aae559739b79f689779

Download Submit
C:\Windows\Installer\MSI20BD.tmp

Filesize
167KB

MD5
e2acda08f2a0a3e94ae3ac975db689fb

SHA1
6608c264da412a029b9a520fc5374f4892fa8aeb

SHA256
d304e21e3327c62cc5a7e268ce65416a10a39a8e879e128122ef0e904984728b

SHA512
ae3218519a30e4575ad34b0083c3aad8f02f899b1d4063c99e73f45d2d5a9282670189ce275ebc28f1a9e64942032df33e6ac837ccca8aae559739b79f689779

Download Submit
C:\Windows\Installer\MSI9A14.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI9A14.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI9B7D.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI9B7D.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI9F46.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
C:\Windows\Installer\MSI9F46.tmp

Filesize
589KB

MD5
2bd2f2943ac2cce58c9a32efe5ab4707

SHA1
7d9a791e177ff54e3154b80844c0a0457e89d21c

SHA256
b75b3d0a57b306ab069971a8f50263bed07b3f1c2d3a5bce61ae073d20d61e23

SHA512
178c3965dcce19e325c7cf3c341b3b32c74e8b6f955e1559be091a0d774b22960448ca106e108d8ea34f9bc56737acfe424d91f1df9808053df2e1c4c1d8222d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ca47a651fbd0cb816396bde094e80598

SHA1
d26aa7b83c7668810e60b48054f57796349eab1b

SHA256
84a8d2ec030019de63d3388e971d1c521ca0de9203c052e8dd0e740844e2f5fc

SHA512
10b9b9b125dc7c4cfc635598938731203a0eb81ec625428724e3e8d1b8f1434a6e340eb8a65c2ad4accb7d28a9d9f289bd4416b46bd600f04426ecf2d50d8eb5

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a4463d33-667f-4c4d-9f58-97eec5fd6962}_OnDiskSnapshotProp

Filesize
5KB

MD5
310da9439357bbfcd1067e13bd4a3b36

SHA1
51b442010b36291b3533be85fd9c1d55cbaddb8f

SHA256
bf56cf542a645b0970021096702e72adb3cbdbb8ec59d2749ab7f69524c8a4df

SHA512
16d58e5a2bb474bde0aec0e01e5f6b8f1833babd5897129669e45356d2aef4728d7e2f007a8b4a5b4b87bace760ccddc8d9088dd6dd2b4bc11d8ad3415cb43e2

Download Submit
memory/396-206-0x0000000000000000-mapping.dmp

Download
memory/728-223-0x0000000000000000-mapping.dmp

Download
memory/952-217-0x0000000000000000-mapping.dmp

Download
memory/1164-225-0x0000000000000000-mapping.dmp

Download
memory/1188-207-0x0000000000000000-mapping.dmp

Download
memory/1664-220-0x0000000000000000-mapping.dmp

Download
memory/1976-219-0x0000000000000000-mapping.dmp

Download
memory/1984-210-0x0000000000000000-mapping.dmp

Download
memory/2252-200-0x0000000000000000-mapping.dmp

Download
memory/2560-205-0x0000000000000000-mapping.dmp

Download
memory/3160-215-0x0000000000000000-mapping.dmp

Download
memory/3204-218-0x0000000000000000-mapping.dmp

Download
memory/3216-153-0x0000000000000000-mapping.dmp

Download
memory/3528-149-0x0000000000000000-mapping.dmp

Download
memory/3636-213-0x0000000000000000-mapping.dmp

Download
memory/3868-221-0x0000000000000000-mapping.dmp

Download
memory/3944-204-0x0000000000000000-mapping.dmp

Download
memory/4028-214-0x0000000000000000-mapping.dmp

Download
memory/4156-212-0x00007FF832C00000-0x00007FF832C10000-memory.dmp

Filesize
64KB

Download
memory/4156-211-0x00007FF832C00000-0x00007FF832C10000-memory.dmp

Filesize
64KB

Download
memory/4224-143-0x0000000000000000-mapping.dmp

Download
memory/4392-155-0x0000000000000000-mapping.dmp

Download
memory/4456-226-0x0000000000000000-mapping.dmp

Download
memory/4460-216-0x0000000000000000-mapping.dmp

Download
memory/4472-224-0x0000000000000000-mapping.dmp

Download
memory/4540-132-0x0000000000000000-mapping.dmp

Download
memory/4652-209-0x00007FF832C00000-0x00007FF832C10000-memory.dmp

Filesize
64KB

Download
memory/4652-208-0x00007FF832C00000-0x00007FF832C10000-memory.dmp

Filesize
64KB

Download
memory/4868-222-0x0000000000000000-mapping.dmp

Download
memory/5028-165-0x0000000000000000-mapping.dmp

Download
memory/5068-136-0x0000000000000000-mapping.dmp

Download