9b6394b0d1da147c5c718ebf3aba211ce2d4aefc63eb0dc80ed5cfc0db269bcd

Analysis

max time kernel
81s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmd_fw_installer_138430009_eb.exe
Size

5.4MB
MD5

b48216dca6f745a40645248384659fdd
SHA1

3bc265e7282bfb5c63be6cc73a2b7aad9a060904
SHA256

9b6394b0d1da147c5c718ebf3aba211ce2d4aefc63eb0dc80ed5cfc0db269bcd
SHA512

488fbd2b606c4f829b0ec05217b7d9be687cb885b988bc7cdcf7e1d61da2ef06fc422646696e24c2a1c1a63d793bda2293204037bd5a0178a673c00e91b226ec
SSDEEP

98304:n3oeoi7dSeyJ6A89FbeCD25kvriejkx9sZjMK6vx6IF/M8aWzBWcPNkNzt9e:n3oeoYSeyJ6vnKCD25kvmeh6vFF//aFU

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 48 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UsageStatHost = "cmc.comodo.com"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\PricingTerm = "cis.premium.free"	cmdinstall_138430009_eb.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\Countdown	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Testing purposes	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\Countdown end	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance	cmdinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\EnableLogging	cmdinstall_138430009_eb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\UsageStatHost	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Options\Proxy	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Data\CmcWindowsVersion = "{\"release_id\":2004,\"build\":19041,\"ubr\":1288,\"major\":0}"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	cmdinstall_138430009_eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\ProductID = "cis.fw.free"	cmdinstall_138430009_eb.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\SubscriptionID	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Testing purposes	cmdinstall.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS	cmdinstall_138430009_eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance\{48222F79-874D-414E-9563-03C664764923} = "544"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Options\Proxy	cmdinstall_138430009_eb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\SubscriptionIdFree = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5ce7e432d365c4baedece5ed2bf0ead040000000200000000001066000000010000200000005ed351b3236bb5daf75ba0cf8d9e7d66e533927967d0b20bf82060404e57384e000000000e80000000020000200000005f5f25dcf20ece5b13fc265ca76a82b32768ce630f0774f32062d07016835ea910000000428b6d48380ba28a453f3602d3db3fab40000000f5b0c9c1cb1f372739265bf3a7e93e3b0a00fe7e44127db2bd71ae59c0a20db196219e33e4adb49115c2f80328a753c770841a575670e1dd137536a2e23c5e2c	cmdinstall_138430009_eb.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\Countdown begin	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Data	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Data	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData	cmdinstall.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\DbgTrace\cmdinstall_138430009_eb	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall_138430009_eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options\InstallerName = "cfwinstallerx64"	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cmdinstall_138430009_eb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam\LicenseKeyFree = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5ce7e432d365c4baedece5ed2bf0ead040000000200000000001066000000010000200000008913ff02bb46196875650f2e83fdf1fddf6d0baae635a7d14527cc36acffe543000000000e8000000002000020000000379d35e618c349cd7a8aec2e5c163ae0f8e42e093f22d021acfaaef769f02c6030000000bedff746cf927419f2ae46ffa7f756e89675a4b4054cb285ebe5a27d1f3b4af80556918268b7157ea42e756ddb393d6a40000000837f8204638fe1550e68b2cc163af46b856539fdcfe2722659ea460641c1f693ba8924f9dd7f354b4c09a16d03b9ea12a1d08c5b1ed29990ce27a476e6361a05	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\DbgTrace\cmdinstall	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	cmdinstall.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Cam	cmdinstall_138430009_eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Cam	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\VolatileData	cmdinstall_138430009_eb.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Options	cmdinstall_138430009_eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\COMODO\CIS\Cam\ModeEx = "0"	cmdinstall_138430009_eb.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer	cmdinstall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance\{48222F79-874D-414E-9563-03C664764923} = "444"	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Installer\Instance	cmdinstall_138430009_eb.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	cmdinstall.exe
File opened (read-only)	\??\X:	cmdinstall.exe
File opened (read-only)	\??\J:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\O:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\V:	cmdinstall.exe
File opened (read-only)	\??\W:	cmdinstall.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	cmdinstall.exe
File opened (read-only)	\??\A:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\L:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\Z:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\S:	cmdinstall.exe
File opened (read-only)	\??\I:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\R:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\K:	cmdinstall.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	cmdinstall.exe
File opened (read-only)	\??\Z:	cmdinstall.exe
File opened (read-only)	\??\X:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	cmdinstall.exe
File opened (read-only)	\??\P:	cmdinstall.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	cmdinstall.exe
File opened (read-only)	\??\H:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\M:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\S:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	cmdinstall.exe
File opened (read-only)	\??\T:	cmdinstall.exe
File opened (read-only)	\??\U:	cmdinstall.exe
File opened (read-only)	\??\T:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\N:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	cmdinstall.exe
File opened (read-only)	\??\Y:	cmdinstall.exe
File opened (read-only)	\??\M:	cmdinstall.exe
File opened (read-only)	\??\P:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\Y:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	cmdinstall.exe
File opened (read-only)	\??\N:	cmdinstall.exe
File opened (read-only)	\??\E:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\U:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\W:	cmdinstall_138430009_eb.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	cmdinstall.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmd_fw_installer_138430009_eb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmdinstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmdinstall_138430009_eb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e588028.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e588028.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
444	cmdinstall.exe
544	cmdinstall_138430009_eb.exe

Loads dropped DLL 4 IoCs

pid	Process
444	cmdinstall.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCFF154D-A97B-4138-A1AC-A2B0C3C05696}	cmdinstall_138430009_eb.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c00000001000000040000000010000019000000010000001000000082218ffb91733e64136be5719f57c3a1030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df10400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	cmdinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 19000000010000001000000082218ffb91733e64136be5719f57c3a1030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec180f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb419000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	cmdinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	cmdinstall.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTcbPrivilege	444	cmdinstall.exe
Token: SeTcbPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeDebugPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeShutdownPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeIncreaseQuotaPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeSecurityPrivilege	4976	msiexec.exe
Token: SeCreateTokenPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeAssignPrimaryTokenPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeLockMemoryPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeIncreaseQuotaPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeMachineAccountPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeTcbPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeSecurityPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeTakeOwnershipPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeLoadDriverPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeSystemProfilePrivilege	544	cmdinstall_138430009_eb.exe
Token: SeSystemtimePrivilege	544	cmdinstall_138430009_eb.exe
Token: SeProfSingleProcessPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeIncBasePriorityPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeCreatePagefilePrivilege	544	cmdinstall_138430009_eb.exe
Token: SeCreatePermanentPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeBackupPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeRestorePrivilege	544	cmdinstall_138430009_eb.exe
Token: SeShutdownPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeDebugPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeAuditPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeSystemEnvironmentPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeChangeNotifyPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeRemoteShutdownPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeUndockPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeSyncAgentPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeEnableDelegationPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeManageVolumePrivilege	544	cmdinstall_138430009_eb.exe
Token: SeImpersonatePrivilege	544	cmdinstall_138430009_eb.exe
Token: SeCreateGlobalPrivilege	544	cmdinstall_138430009_eb.exe
Token: SeRestorePrivilege	4976	msiexec.exe
Token: SeTakeOwnershipPrivilege	4976	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
116	cmd_fw_installer_138430009_eb.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe
544	cmdinstall_138430009_eb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 444	116	cmd_fw_installer_138430009_eb.exe	89
PID 116 wrote to memory of 444	116	cmd_fw_installer_138430009_eb.exe	89
PID 116 wrote to memory of 444	116	cmd_fw_installer_138430009_eb.exe	89
PID 444 wrote to memory of 544	444	cmdinstall.exe	90
PID 444 wrote to memory of 544	444	cmdinstall.exe	90
PID 444 wrote to memory of 544	444	cmdinstall.exe	90

C:\Users\Admin\AppData\Local\Temp\cmd_fw_installer_138430009_eb.exe
"C:\Users\Admin\AppData\Local\Temp\cmd_fw_installer_138430009_eb.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe" -log -setupname "cmd_fw_installer_138430009_eb.exe" -sfx "C:\Users\Admin\AppData\Local\Temp" -theme lycia -type web -mode cfwfree
  2⤵
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall_138430009_eb.exe" -log -theme "lycia" -setupname "cmd_fw_installer_138430009_eb.exe" -type "web" -mode "cfwfree" -sfx "C:\Users\Admin\AppData\Local\Temp" -logfile "C:\Users\Admin\AppData\Local\Temp\\cmdinstall.exe_24-01-26_17.19.43.log" -parent 444 "Admin" 1540
    3⤵
    - Checks for any installed AV software in registry
    - Enumerates connected drives
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4976
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1319BB6F766C54A34D506382A01A20B7
  2⤵
  PID:5972
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 398C40C06FE19CE3ADDAF7C8E2CB415B E Global\MSI0000
  2⤵
  PID:4264
- - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
    "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --langID 1033 --createConfig "active=fw;dplus=opt;esm=0;av=0;fw=1;cesfw=1;cesav=0;cessandbox=1;free=1;noalerts=1;cloud=1;sendstats=1;configfile=;fwstate=0;dfstate=0;avstate=0;bbstate=0;avservers=0;standalone=1;useblob=1;trustnewnets=0;"
    3⤵
    PID:3164
- - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
    "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --upgradeBackuped=""
    3⤵
    PID:5852
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    PID:6100
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:6096
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    PID:1948
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:4636
- C:\Windows\Installer\MSI8A80.tmp
  "C:\Windows\Installer\MSI8A80.tmp" -rptype 0 -descr "Installing COMODO Firewall" -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log"
  2⤵
  PID:3316
- C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
  "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --installCertificates
  2⤵
  PID:5512
- C:\Windows\system32\regsvr32.exe
  "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll"
  2⤵
  PID:5604
- C:\Windows\system32\regsvr32.exe
  "regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll"
  2⤵
  PID:5632
- C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe
  "C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe" /RegServer
  2⤵
  PID:5656
- C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
  "C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --updateHtml
  2⤵
  PID:5684

C:\Windows\Installer\MSI8A80.tmp
"C:\Windows\Installer\MSI8A80.tmp" -rptype 0 -descr "Installing COMODO Firewall" -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log" -working
1⤵
PID:2840
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3876

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\inspect.inf" "9" "471514ecf" "000000000000014C" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\COMODO\COMODO Internet Security\drivers\win10"
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

Filesize
512KB

MD5
63a26ba7f9e5c4b413c04f76aad7edcf

SHA1
969cd945dd4ef45d2595082255cabdbb654d1535

SHA256
4f6456a13976b9e2f2b677caa09d970815b745a8fa0362e769c5ee9d8f55d1b2

SHA512
fb1cf0e2d6690fa7ab202d78b9b7494068229838298c71b5826941f8a5b0b9350a0344dc7ef4e1af85d2a41fb1f45bddbb15f1fc8789bb7b7ccbf61f820c4a9b

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

Filesize
399KB

MD5
6d6ba8e0169ebcd845647b9997038dbe

SHA1
b4ccdc97f697f06c4c15d87d71143fec65b86011

SHA256
154fa7c59fa1702230c23c541ae608b799ae08c0ba1f517061faf108e837173f

SHA512
5e1ce69727948f41720d100c1e4e23de0f2a0ac764140fe76a052d625333d5d421eec9114e0905e96a1a796466d6c796c243f96e43f61c9609ae748dd879575f

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe

Filesize
456KB

MD5
cc4b3d57ec9f31ae71dc4bf12a51eca8

SHA1
e8c778ce540f06836103c579c6e17f865b81902a

SHA256
3818a334439ca6fb219e72f4cb14358ce318eed76f9d7336db3b0292d222ab6f

SHA512
7f8ebcce5b44d8ca191e3aa542596dd8eab5f5df8419b21ecee3976a9e354499d07f09aee1b9180c22ce4094a8b21288a547c0e9a3ad2d15c1ecd08c1afdf4e9

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cfpver.dat

Filesize
13B

MD5
0889f8a78fdb667192b0a3617c51db9f

SHA1
32e9fe7b4f309e1605ff3a55ea1e613167f463f3

SHA256
6cc8b0fb91f5e5d31e6b58ecd11f33ef2c8e2d65a20639374fe0789deda57056

SHA512
a357766bef664ad1ae093f04c470078c5f2288d9ef6deb876b5e2b97ab6211c9cfb87c40c545ff3c5288cb04bac89c862fb21eefef784ab574bc8e3a5f6c1f47

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe

Filesize
251KB

MD5
0ac6f2e6487b82ccb89033ee84b615e1

SHA1
db55e4017c4c7f442b8565cc80492d4261f1a539

SHA256
7c3393696d205b935add38ea8a8ada9f7fe18d896cff97111b08f59a5b04e475

SHA512
a67c0d4675f325b479539c57c63944ce32632b4e1dfaf5507ed00bc2f8128dfd2c179138afeb35a7acdd8c932124c550a748db389a42082f3e03a19d9868db55

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll

Filesize
98KB

MD5
728a97b5b669c3b6dee064b5b3dc636d

SHA1
cb3d70083d65aea7dd18ee4da3844138a0d0ceef

SHA256
1306e31bdfb5c9e30b0b261125a83c5c544b3aee0e450b547e4055d533451169

SHA512
7ddcfc99ee9d4c351ad4b0622af24d27e5a6f64123fa0ae542918efc86ba832cf76b0bb36e9943be3bd6ba0d78be926310fe997045ae5babbf1f90f411b97930

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll

Filesize
252KB

MD5
b54ba5c6737c7c84b5ef7117eadc0664

SHA1
4a879b436e5c60f40aabaf9da97396cb3631acb1

SHA256
92e3b22a5652fce895eeee118dabf070eae0a9e7575324970cc0e43723c37e55

SHA512
382969362f55513fcbff571f23058f6031d4cd96e05ae1808b348df67e032cf2f667812b90718abf3eb79aa24dd5c4061b34c09ad06a044d13828c5f21fbccf2

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cmdres.dll

Filesize
328KB

MD5
4647a239a2dc64075625e77d8cfd3ace

SHA1
46e19932d8758e7c0b20e4a1aa12f88363c4b3f8

SHA256
c4426fb1d12ed70632ab0f6f9d7e04e9467e7ca420198cd45ffd30e8fac8a984

SHA512
96ebd0c2e711fd48e9b03a4715e997374d3ccd38027b83c42396066a5a779d3a266ef0e081806bfe61248344c22768429cb8fb370daafeb6019a260c7dd5b0f2

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\cmdres.dll

Filesize
441KB

MD5
6d7caec45f44db9a57307fdca673531c

SHA1
6c03ea2c84837edb1ff28d883db361fe8b530ba4

SHA256
973b7eef70905bde2716eb07626f9a7df9736190e02922eefff2b47619d81ebc

SHA512
9f5f204cabeee610b09321d1fdeb416e92d0ce1137f18f1544cca5496e48937ba381d2ed916cd8fb6a53834f20e566caa576b7a5792c5b7aba2c4a7000a9715e

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\msica.dll

Filesize
439KB

MD5
42d38239fdd1bf7bfd9d73866c8a29ff

SHA1
900f330ded5565bcf17f7a3621a42698c9b06e9c

SHA256
16290d31acd2d9c729a556e383e0bff6750d2716c5af6004515e6d1a87436471

SHA512
1106050b11ecb50592d974b269ba8933bf99ede246a472b0d3e07d28ddb932f679b34dea9b80b2885bcf747dfd575a3bdce96a043938576d959ecb3491e68645

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\msica.dll

Filesize
444KB

MD5
3959c0252787fc1d33fc908c6899899f

SHA1
cfb1967baed99cf283aaded21c2ec7bf8b87c4c3

SHA256
79104c70a30b8a5cd1bcd35c8f9f852648d47892aef123b12a6abfa77b07223d

SHA512
dfef42afe31d5a9b572569432444c926f472f16b015f622a3bd953edadea40abf848a91c22e657f5305b79669f82fbf198caea8351dd6b0ebbff3c360d1822a3

Download Submit
C:\Program Files\COMODO\COMODO Internet Security\msica.dll

Filesize
145KB

MD5
f79428a598cb27fde0fd54644393f022

SHA1
c58087f1c00ad5a7e880160b7b9aa0047c57ddf9

SHA256
489b231f90374d3f246988c49cf0c0b0fd36dc67333ff21563838b8fbbdebcf5

SHA512
9ac0a6e9fcf4ddb1fc0149daa41bcbfc39199d2da04cfa255feb5f0a5d76d082c5b4b5d85ebb215148c1293af3cf3df6ee9b3ff712eab422bb5e689ab98c3b15

Download Submit
C:\ProgramData\Comodo Downloader\cis\download\installs\8050\installer_data\binaries\files_info.dat

Filesize
34KB

MD5
f42c56a1f750bdf43155a2aee0f1407c

SHA1
0929dd9594fccffe5e7e43ea33a5eb6467afab0b

SHA256
86e8a71d1327fe5f26901c8a7d10bac322dce1ff621e1339db9c7b6ab905244c

SHA512
31dc56d6455391a0075ab59d438335c9d38da43e1ef974bcdf14be059d63d48f8a8f7a1f6cd9eb5e790519a3824f59387abafef48417bbeb74e34b526646b8d9

Download Submit
C:\ProgramData\Comodo Downloader\cis\download\installs\8050\installer_data\eula\eula_cfwfree.html.tmp

Filesize
171KB

MD5
b655d81127550b07fbe2ac849e6e1e42

SHA1
61fa51e4c9f01d5c7302a8a9ac6c43bbc665c45d

SHA256
32ac5b1265a7cae273baab2be295ee71a9033ff4233bf92630872523770cc241

SHA512
4a8d05f7488e6bc91aa545618e1d6dedb7508bcf7d635777e2f67c82fcc40e29116924598ed563c7778c32e6a837a5f6467d8d4c01ae282a84b89783fbde9571

Download Submit
C:\ProgramData\Comodo Downloader\cis\download\installs\8050\xml_binaries\cis\cis_setup_x64.msi

Filesize
16.8MB

MD5
a3b0149bd68ddea577ec9c58b8efaba4

SHA1
4c13efba741d90f5b996093550b0f40398c9f8e4

SHA256
3b0ff0a616cf34b9e7399a9887dae92dacf75acd40ff8d8cb495ad515b5bafcb

SHA512
886d215671ffd3be3e74d4fcaea4194c555f66e9ae8d9a2ea946f8ab009564d9a0222c4796b25367b88263ed015125d2ef5b7856969f48034b34430910e61952

Download Submit
C:\ProgramData\Comodo Downloader\cis\download\installs\installer_data\installer_init.xml

Filesize
20KB

MD5
06c0057d77fc4789b1428dd6710cd5ab

SHA1
660445d67f92e84ee9aa96a7aa6cd50ba43148ca

SHA256
e3a998c06b37cec5570409e0714af72a1a936759b4420adf1b0dfaf43bb7218e

SHA512
497a86bd35149465ef3ce3d7b483a3d4950475963a9cc20075f4f92a54b05fbffa97b537b256c9bcc31a3a20f4229d33ceed45f6bd30fc9057cf879bbb368a91

Download Submit
C:\ProgramData\Comodo\Installer\cis_setup_x64.msi

Filesize
6.8MB

MD5
c26d1ed49c9590e1d3f883c9f8b74c7b

SHA1
8da9de4e3a1b8c47e0a21d0e6cdff9b7aead7afd

SHA256
2bdb697fbe34ab48ec845c68c5eb28dd5389c835073ad521cfe131ccb9cd48ab

SHA512
4929d06113d5ef91e8212acdb094c11eff99f5744b9bacbe6ad9c5d435be65cb08bde7691c7412862d6d890975abf8070ae2a767e1a3eedb2c2e906a125aa5fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
2KB

MD5
5feb726c80581fd9682adfb5efda6321

SHA1
cef872c194d04647d6d9d4d4372a7c95242c7fd8

SHA256
11be52cfeecd0d9406246c2e9f1467f179f0c46f88a16a1552691dfbeb100718

SHA512
0d64b73dd0e3fab0076e54ad62fedeeba28fa7a917c324e0ef5a5a12fdb8599da6481fd3a8a03ee79bd1c475abb1c7019bfa872b4d0da412f72c0534b6bf001a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F26A2159BA21EA573A1C5E3DE2CF211_7541962669C96CEAB06421EC12621007

Filesize
766B

MD5
afd26b4d172c5cae18a4dd49630e49cc

SHA1
8a2e513ed2bbc0d265ae756fd88a9a0e98494426

SHA256
7f9dcf4870c902aaa62982f66c42e2e0bf63348f2dd29bd5ed9619e6bf5118fe

SHA512
468ffc632bdd7c6249e9f9b08791bdd190a38c7ecf91d3c200334582841bf2037a522504b13e6fe097941989a9c105e024bc70012afaa6b4d3808cba98046da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

Filesize
509B

MD5
d5b5cd332ae3f960a05ef1a58984e1b4

SHA1
4385216a63b8a206fd762f903b06b3249c44f398

SHA256
96834690ead75d4f8c0ec22894abc257c5d2d0d3a2ffec250f88896530be89fc

SHA512
e9de5619e95dde747232cb7cf08a3d0b9c41960faa89acf201d132de071d45d4df165095eb5814208eff1d9797bbba57fcb705198892ceb7e77f606b7717747c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
490B

MD5
890a6d96d880844216c36a590c44c1c6

SHA1
ba08788d6756d7e4d703064309ebd69e7978deb5

SHA256
3d8866f144b753d7576dfea62484bb5bf453f8ab972e55680841bfa49b2096fd

SHA512
54fc10684dad3ae9e6c7abc266da2846803b273e53c6fa8a5bd456a4312b094b4e290399c92d17eae154e453c05e07799ab26cc2c19c7fb1cf22090a256fe4dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F26A2159BA21EA573A1C5E3DE2CF211_7541962669C96CEAB06421EC12621007

Filesize
484B

MD5
4c1fb67947dfa3e70a6aeb2e0c800276

SHA1
50f4d3cba371574a6ac4f3803264428260bbc126

SHA256
848c91296f945be9dd3fee2d51d78cb02e81526f8573a9ff8c8dee0fcf589305

SHA512
67b9f104f64e73ef74c57ae6ecd322045b831022eb62e8fea3f81102115a04b08c25fa4391c5a6f357b640e826bcc2801f169fd18e1a796df8ef9a9100b455a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_941A5BE5FAF3230B9FC294754AF2A1C3

Filesize
490B

MD5
cbd6bd67125486629a76284f0b5b6234

SHA1
d6f18266d5cadd52ebde218081cc7ab9a6fa0b7e

SHA256
e03614967bf212fcc3cc96ee278eef4fefa06425f11e61408da041c9c4a477ff

SHA512
4f92d6bb6f802549952bf470d8b3e25d85d28a8a2e5e2f3ec72c2ea8e56166d1220bd25f7a02f27ad62f1151b47dfaa1e390accdf52a0a4d00e2798ec105ef5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.dll

Filesize
277KB

MD5
7baac18fb157c76574ca3d7a2f5eb193

SHA1
6460577ce621fa28133096073376f6a88f8acd61

SHA256
347144ae998d96c6b8664abf56f3ff8cfa4dcdfd6e13205d7e8ee2f3b77eefc2

SHA512
513cc213da81db470f8675c29162f4b724bb92a690edd451025eb68588971eebb937f88cc5a659222f2bbbd99440aa56800bf4167bb8912ea87a0b2648b002ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdhtml.dll

Filesize
4.2MB

MD5
6d9aa26bb18af69dc74ae8e822eb53dd

SHA1
6ef20da9b9e70afa742f047f1c6f9d3e58290450

SHA256
cf140523b8834de1c37efa29b02adcdc88babc0f8ee90ba93dd98c260d7036c3

SHA512
3a9e8f15d207e98bb182f8d1838e93dba9750e6cfc79b72aab0706f969866447e50b3ab28bc1768a7cac7e7733cde80085cabcefefae0d287f08374578935c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

Filesize
5.6MB

MD5
89f02929ce691d6cd76b50675690b17e

SHA1
0c8ff067c8a1cb4b58dc568dbe727ce03137ee30

SHA256
36dd398bf9eb4f0068c49daf1261d41cc7693dc82ddac80a8d9527a259e359f1

SHA512
4c8c0aa74a1136cbad07b79586e2cbb29711a58d57407771bc552fd236499285e9e6aea28f981844f2de529839d205c4c7fc6c45f886ee7bde2b93469548e11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

Filesize
5.7MB

MD5
74cf93a3d559a630911fc94568b99e1e

SHA1
a5f164154e164174c715e493f440b1935ec53af8

SHA256
fe82eb2103b177370e742aee40a2b840805516ff23867f6b9bd3655a401eb50b

SHA512
c000d512e270d7f89058fe52a3ecfac6f60462eed21b134ebb57640cc6425e7ece9b6ce683acc666d8358875c8d621497a8e3eb95b4ad72311efb9d12c03100a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdres.dll

Filesize
367KB

MD5
a4b3e07a9d407bca7a0ed76ea7c4945f

SHA1
af16d87110e2f9e64d5c35a6d522151b69377bbc

SHA256
b115a17e7500dbc34cce1f8e84a59f072a26ad49be5dcde6ac5908e4d2ad3555

SHA512
77c6ba298f5bd4c04192660d365d2a45ecb23fa441818735bd01050677037e1976670dcb457b6684343fbccb02a6fcfd98f22ae9f2de263057157917ee28d981

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer_langdata.bin

Filesize
5KB

MD5
b80eda6258e28b537651f8e5ebd997ff

SHA1
826741e138e8342f4bc3303838e347a44bb93546

SHA256
6e960dfed451c2dfb99352d25d3df8dd46fe7d80c9af79805c0cfbd1a99a2709

SHA512
9fce1cb5fe8b6a2bc4d13c1ca3ec31c926c6dd33717f145da6952ae33144eb11a6ee9e751e1d3e2d5d6ce7768e9f9602773a917d9f5f8473670e6d631b932b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\themes\ilycia.set

Filesize
764KB

MD5
7b85f91536c8342ac64d3edece2af7fe

SHA1
1e28c62364f606f03078e985222a2e3400a483c6

SHA256
918e7aad857776a895ecdf850665c355026882bcf1e0eba279ff4f7aa4b6bbae

SHA512
42cbaca95018eba8b05d3d586dbe8537ec1130af9edd813c4e7affef88c804a4ae65d9a446a95326508cd21da03a7e6a7969f6de5a68e69ce86c827f4308ac5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Firewall_24-01-26 17.21.02.log

Filesize
1KB

MD5
7a312dd66fec42368ec611b0c1ef5f6b

SHA1
9782574f92568d3b1aa99ff4dbb97184c2f2d1d2

SHA256
d49d30c740a6e5f44979871965cee2c0c6778ef1782ec2a5d7f9e6ee53aa06e9

SHA512
a49c7a4986937b2d8d12ba361f9ae9e9c9b6b214ebdc141f6b7abb7aeda34595818659172923e643b63ad067e4eb93f75b2aacd97197d9b8039f0692d6344243

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
4KB

MD5
1126d61d827ec47d3b8a5aaba765e631

SHA1
d732344943841b2c4c27de6e469dbbce54dd5d37

SHA256
741aaecb8dfad7219bddb9ab89d61b247e929ed7648ec09267e4b2becf12d5a6

SHA512
d1cba89026b53b59c47191e948e89c265b297f200ab548cde0bc1db427525397be84452c910de29f5ed0a3a8efd9d7eaedd68de250895aa9d02a1551ab2ebe59

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
5KB

MD5
f9c19acc3194ccb7640b39555faa8bd3

SHA1
a85df7775af72f924d5d1d988f30119cccc90867

SHA256
ba3a00982dc5100fa35970cdc658bdbdc3aa0d676c2edd3bde8062bfa8049577

SHA512
adae774a103d49061cc03ae333890b462225adfef27ff242cde16c63a8154d9b626c8927766ce9566a37c1179159dce53db00849da2f187be13d19a4dc725bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log

Filesize
7KB

MD5
ff2c567c740e9b7712933df213db8b06

SHA1
dc578b772dbd97a82988e17f3d546382d8f5cab7

SHA256
8f294575c7ccd134c886504faa6da0a585b4dbcf352c2c5a0a814970ba2ae59e

SHA512
868089f64fbbf61dc83c1ddd0778f8a06a1f22db3677a2fe6ec8083d6da606f3d9bb23d0d911987236b5630e5abfbcecda3e264f977ba4195014f849f55cda1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmdinstall.exe_24-01-26_17.19.43.log

Filesize
6KB

MD5
69858cc408d157d0ce2d2b697300e0f9

SHA1
0ecceb33ef0c407ce72ef1a5cf48850a24c514ef

SHA256
b0af8edd58be7c62aa82927ad8fc2ffad876faae4504f1bf0d38e7ea89fb7e3b

SHA512
8a0acc579af6b1474b67124c0322dca71e3e6f32a67f781c031a197387625c839554ecc2caf31a304a25010d2e1a13b8df03fcc895540273754f689e026dc98e

Download Submit
C:\Windows\Installer\MSI83C1.tmp

Filesize
1.3MB

MD5
19f9385589b74d6baf6037674fc5eea0

SHA1
b0caefa35e2bf82e6d4bbeefd410acb9cae8763e

SHA256
e3da715a235772a8e8426ecb25583b74523ad7e6ea02257d6ec3b3620ca865d0

SHA512
c0329b960c80a23d3d2efe1c597120b9ecb51a2a8d8baffd4882ab7a0f6b0e9704ceb3a9787fdc506fbf84c4f7df2954389bcc3923dcd2cf24e6366bbd038ba1

Download Submit
C:\Windows\Installer\MSI83C1.tmp

Filesize
804KB

MD5
9d0426b1bb9ddfe2eb17af6b3c5d6f6f

SHA1
0ed105f225a77f2734419f286042805f739d87c0

SHA256
74bab0c1a8f95310e11b830ca14151c9b3dadce4bef5ef95a0b967f6c7ccf0ed

SHA512
b0c7a4e6187939311f40d54dc9833893799d278137387bcf6bb7d51a322dca604c1f697d48825c160f4ce0f0ee2801fbfb13cc8397d5d4014ca5b1178ad43747

Download Submit
C:\Windows\Installer\MSI849D.tmp

Filesize
1018KB

MD5
aaa283ca580d924331fd92cad51fb725

SHA1
f21dc9ff2e51c453a1da0f03910525961189f868

SHA256
94b5040360e1051c306c714af5d67b06dbeb564f2df90d35f036f5723f8fac2c

SHA512
781521bcdc27da6b5582fc3a7cfecb90a52a90394fd4597939bd566126acd1da8902d3802346a32a468837a597b5c839378e890fc25832fd07b828eb7d6161e5

Download Submit
C:\Windows\Installer\MSI849D.tmp

Filesize
935KB

MD5
e066635d42ea7c7ea98107d6f6fd3364

SHA1
860c47bc667f306c8927eb4e44552dca71f1c75a

SHA256
68e4f9237e16e71020f5dc4cab4ca3f16b3138103328fa1eeb6a5fdd525a3b40

SHA512
70fd1c21d0986ee422ec118fc27169143f1a50dc318e8702f93178c6119f1574425d16b86e7db4baf0bcac8c1f0fb87d8f7d18edd235427e332392ec968600e6

Download Submit
C:\Windows\Installer\MSI84BD.tmp

Filesize
987KB

MD5
a6dc4c0aadd3638bb658a9da79f3ac07

SHA1
fcf7ddaec7fdb1274d6208ba34d39b25544a30cd

SHA256
f176fd366ec7bb5bac3a5073e38aca6ed921252af5ace26577afb0878acf0791

SHA512
678ef7056c9185019ab1f48a8ce89a9129a90a8a7e9b258a05237a49f63a76e544445d2c0153841c9fece42f2ff677c2f4b9b0019d253570d933f05c3a47f075

Download Submit
C:\Windows\Installer\MSI84BD.tmp

Filesize
822KB

MD5
aa40283130a019296a1a28d1bbc4c026

SHA1
3c20a09cb7c8ff80c45f05ae0205ddfccdd34db6

SHA256
a2f74c40386aa766fee6adb6e44dd4d5625d4343fda324180f02a67a74965494

SHA512
d31618b84ea768ad7dc8d2fe9a7868b7b55de616371b65e3cd6a50a7a3d79fbf71d2390d12534f3a9840269a6911d55000ad0df327f9f2bb50a6ec03b67dec78

Download Submit
C:\Windows\Installer\MSI84BD.tmp

Filesize
1.2MB

MD5
723803fda9b669f5354c5de4142aafbb

SHA1
3e7451fa6b788c8ef21e0cc66fb9732bc2e34513

SHA256
3354161fbc48304e9e299599852f0dc6bd50924a8180268644538ccda4e141cb

SHA512
bb15810d7a5ea54bfbbebd4b9158bb010a90620dc046dbdab72c854ccd9c4f4cb78c632a59e6cce66fc6c0e911b52a5d87231f9ad2671c43df8645f171aa8933

Download Submit
C:\Windows\Installer\MSI852C.tmp

Filesize
840KB

MD5
225499a2b18ca395cd4ea2fad1865ca0

SHA1
df0dd3ea3d0fe5255bc5199bc3f33e535439d5c0

SHA256
67eefced64c27b89d730f8f6f0510f94f6528a648a83b4b5d97b3b900869e20d

SHA512
db67f5635e8243e34e3b422f37c282bff3b8d7e3a15f5b1bc3dbb216f2f44267801c586d6ecb9defb5e3bbc1c4cd6dd11c2992a3ba99ad4beee4f021fc286636

Download Submit
C:\Windows\Installer\MSI852C.tmp

Filesize
990KB

MD5
0af5eb565ab9d5c85f39b8cb18cbb5d3

SHA1
24764564a3716e4b4335d9d0a84a70152942af03

SHA256
ee5d925866b37fae2d4aa530bcb49ea5b03e88bfc470aabe41e3a5f0ef9ff999

SHA512
28b5f86d39651100cc80a93b97766f1e5af930e135350e089e3d6d4d5ae6c9d075dcca9ceea391757552c6cf3e5c45d2777a5d5d5279249388beb7b8225d48f1

Download Submit
C:\Windows\Installer\MSI8945.tmp

Filesize
168KB

MD5
4e09b7212607c611cdf9f7ab84bb3079

SHA1
0b9d6ab4f5201108e8e7b28e20093ee66e9d9b2f

SHA256
60df5914efea987f3021fc1c62366b10f66f9e632242ed46c364de19f04e5f03

SHA512
ce5a54005883029bc95f1d256bfda5e5c0990979ed03f01573ab689de081bd1b73d190029a10625ebac314ff5bfc8f58e7f5600b4466abb7465b34987a78ccfb

Download Submit
C:\Windows\Installer\MSI8945.tmp

Filesize
34KB

MD5
b44395530c80166e9c5009ea806247ab

SHA1
9b6ac0a7b4e5713de9d326f3cfac399f58415fc0

SHA256
7751c50443b1a106d4a943c67ef8920beffc52a383149c7b199fc5dac9417b06

SHA512
bb14da8579ea3bc19344768afb42ef7643f01467b19bf251a9e033b222072a83a0afe0b085e0ff0673a24e530037f63067e71d18bc0bdfc279de15588f65fc67

Download Submit
C:\Windows\Installer\MSI8A30.tmp

Filesize
1.6MB

MD5
019fe78397e80eaf93169620f74bee0c

SHA1
d2847310074c4ddd7cf9737949a86e01cca5933b

SHA256
70596b5f93407e22e7b2ef14bcb09adc70b0c9def125767568a1c1217fc41b00

SHA512
c371e4c1f3fe395ef71aa78a7335dda3337b3987be3bc8659a5e3694345f678d479d09e818d89d8bdf2828b5f58de0915ba2f263c107774b91f09a16bb907fea

Download Submit
C:\Windows\Installer\MSI8A30.tmp

Filesize
1.1MB

MD5
85e0857a9ea8feab534dd8119bcf4278

SHA1
9f4d4752f1c6e37d41abf231bf14c1b4f61b8b13

SHA256
aeddc66e236dbdf9f1db2d9792c0de8295d54f337530f903b87ca602141729a2

SHA512
57f4eeac79fd9c22df034fb7e128f8ecdb3319c6c7e5b45a62bd5f2697dca5cca9d6c6860d3e8484ba62953db249371d35542be78a0d1788d9dd5b1f939dabcc

Download Submit
C:\Windows\Installer\MSI8A70.tmp

Filesize
1.2MB

MD5
1b6f63461b4ce1d61edfedea4ddd2276

SHA1
2d7d98c93530dd5f9c6599ee5d3ff09bdffbb53d

SHA256
1eeb1717cc85b3e2ab1686fa9674ae6f36f4be36d7779ecff522c236f4f99fa5

SHA512
cabe4c4e93e10142f12f26fec1bd618536b596eeecae97c0674e8aa7d7c07bc47fa6af44ffece18618db7a419ddcb43dfbcc84adacab974736f23bce9b7316f6

Download Submit
C:\Windows\Installer\MSI8A70.tmp

Filesize
1.3MB

MD5
ce7bbd5677a5392e51f19c90515b0ad5

SHA1
51b21f6a6ecd983866ba0a9b558cf1445636a2c5

SHA256
502822381f79e862ced28ae83f2136f8659b19e0f4f4996bef2284c6188c41f2

SHA512
4a074bbec87070208750b89c75b9b7782fb0903f563acce956f6cebf8f1e9716c4cc7d2e30d6d9616862a668feab1e91ab2927f49617355d744022b06d1b526f

Download Submit
C:\Windows\Installer\MSI8A80.tmp

Filesize
163KB

MD5
c435f554a0823a156c21d8ebe6487fb0

SHA1
a078ca18d0532f33d10a8e898970e3f0ed2c1985

SHA256
d8a42eda60051799d97883dcc0f27b2f87f39d39d5a46047590c403d57e29d25

SHA512
d4e405fe17079e2e3943d0e625f2d8c530398467cbd6a575828c84b46df2c1aeb66c16f7d54973f280c5319366767cbc3fe741aa2f2f00ebda590c0ee85c745a

Download Submit
C:\Windows\Installer\MSIB2E9.tmp

Filesize
1.1MB

MD5
1d1261a0cb012f6b666fad9c51648024

SHA1
63bc3ae8aec1891a9fd11e675f2bceee6aa59f16

SHA256
8d1aa512a6fb092298a60d8dc1d12f77c00320ead2a17f51e4bb39f9d20a4b67

SHA512
9b6779f6ece0d84e286d7a9ac421766d99b9fdb43cdf2696bde44195c6b266d434255204ea6fd47be6584bb5782dcde599014a197eefac50c885ca93cb856f34

Download Submit
C:\Windows\Installer\MSIB2E9.tmp

Filesize
1.4MB

MD5
f8d9f8af5c3453b5090874e8ea1527a2

SHA1
6f9d2b71248291ff883cdfb0e91edce18c9befbb

SHA256
445dea51a639dbeb04562756f300eeca5a5db215f76c5cf88adf0f74bd801121

SHA512
92f812bf7b60b7c428c8c20875be4586ae1a8dd6779301f0c2822530e10c82d7047d1f9bc468e25feb83039cb6cd86db6e52bdb10873ab013715a3747ad2cca3

Download Submit
C:\Windows\Installer\MSIB338.tmp

Filesize
1.3MB

MD5
0519a7278055c5ed1cd465af47499cc0

SHA1
7019e9ae85819dd8c7e7804a2ad9fe4c43886f0f

SHA256
7876b9aa90a3ebb7f3940e92c167f95720f634ea297ef0c9e37ad8044ad018fe

SHA512
4b8d61875bff543901ab1427227b5031f72c080666c7e8d10f6f366a06fa55c70e06b708beaa75c58ccffd081fec44be2ece7a2b108d45e6690bfd86427b9081

Download Submit
C:\Windows\Installer\MSIB338.tmp

Filesize
1.1MB

MD5
b900dd9e25c602e07a483925c79d26a8

SHA1
c16b092c19ee39367c78afd6f0133f6881ca2125

SHA256
4b7c8d0f3abad5bfa17fe8296a033edbfad1cd3b45e35224a516df5fbe52953e

SHA512
04767b216dbd677c95f6c89ace901a424b681df7bb537d99f03afcaba6e5600e3cc786ed058c98dfc816e40bac86da336803b357717b6578adddd934219a4ff8

Download Submit
C:\Windows\Installer\MSIB76F.tmp

Filesize
156KB

MD5
491ddfe08268c507faefd897e91c2917

SHA1
cda590438cd15e5266c880bc72db6466bc42c0c9

SHA256
f43c044c1954aabb8de68eccbccfc0553c152ebe6119d5071f01e5db33feb6d3

SHA512
d17c64ddf7826293148f1fbd437f3c93f6dd315b08acd8cc2fa6053cb1c00400248038db57ec7f87e995254764a1770feeae0d2a4cd2f3cdcc6bcecf9edbd15f

Download Submit
C:\Windows\Installer\MSIB76F.tmp

Filesize
182KB

MD5
be7cc1f7475b37902da8e7b96ad6d0a3

SHA1
c98d68c33ff9e736b47ef2da625dd85b1de712bf

SHA256
85f9f58f47d3933e3854c6edbe771731a07eb7d4e2ecbebb67ae71f6c4fce7d3

SHA512
2bc3baaa60e360dc5d77f940a7ab076c50e6a38c82b67d85544d1705eba586a8145a6d49cfc4d2119b2bd2180ca83b820edd3d1731caf71a87424f417f6aed20

Download Submit
C:\Windows\Installer\MSIB7FD.tmp

Filesize
259KB

MD5
4253322432b43021ea3cfc2f67643448

SHA1
7277ea2ab56602af18f1f237a3a68dcdb6e0bd03

SHA256
26389016eabff606b0dd0ba7eb91ab764e48b4e62361a6a8916685e79bb8678e

SHA512
e68fa5e38c1a04aef99bd54be76899bb5ba22c884f11840679ca8f275b9fc7d3f56485b01552271ec42e73dbdbd807e09639262633ab233f57457ee0b7256a02

Download Submit
C:\Windows\Installer\MSIB7FD.tmp

Filesize
165KB

MD5
0ba75268550a00658a752e9c4f6112ab

SHA1
0c267fd34fb522032e4011856aa33a70945442fc

SHA256
1570e943e52b7c1e15837441e7a01eefa303327581c6b45ce42ce18534b3ed49

SHA512
88dbaa88765302573290ddbbe6323d578b5446d23b639108535d7acd93a7a215fc00d10af351d747a115e992df0143388decaae87b3364ba745c5a6010a09587

Download Submit
C:\Windows\System32\DriverStore\Temp\{0ec0f3fb-dbab-8748-abaa-68fbfbc1ffcd}\inspect.cat

Filesize
10KB

MD5
7c977268ee60fd92ef58849e19431483

SHA1
f371323947552968ae0f4439c819d071520c3794

SHA256
ea0aa16e6d3ed58fa312fd6b25e252806afa095e6dc121b9ba0e1dc1b089fffc

SHA512
f29b97906999133da7eb59b6f92bde043d889bd624a8c692fced43a329a70a3b2725b6cc52d638c64a6896842b7c31efc3b4bbe55d23be7b15358377949d89bd

Download Submit
C:\Windows\System32\DriverStore\Temp\{0ec0f3fb-dbab-8748-abaa-68fbfbc1ffcd}\inspect.inf

Filesize
2KB

MD5
df44c02cbfa857c9bf77a35594391d04

SHA1
e018b8c2b3213d4e7ac05d90d0b958e88a8e5953

SHA256
5357482e9f2f5dad518e4fc80b2a36c2de2e356cf3bed5ea453afa5a0e748da7

SHA512
486a33465bedfd84d66c91ef2fa86810aeaba9e592b6cd759c28a0365d92ca2194494d198f954487744073bb069f03bf9bffbf31ad4c0f1dbded87070859f440

Download Submit
C:\Windows\System32\DriverStore\Temp\{0ec0f3fb-dbab-8748-abaa-68fbfbc1ffcd}\inspect.sys

Filesize
127KB

MD5
4e2fa027252a2b9fcf213152d098b352

SHA1
a3f07b79417454c0ab0f34ace7d2d309ab941178

SHA256
803b69cc009d92c4b7685f718a5cf55cb80a8cc9f648376e9d8d2eef05490274

SHA512
3b302f4580e5ff330dc210bf80c52e5e69c93aa1114664d10ee9f64a5d775749587fbb267ceb6b443f02439ef0df8635dd8c3d0eba7b44ba641db9a10a809e3a

Download Submit
C:\Windows\System32\drivers\SETBD7F.tmp

Filesize
37KB

MD5
d3d25a9b82ce6ba3078ee519394579e3

SHA1
756e832100613d083de579204c6cbe77be508e0d

SHA256
67aa0540e2893d7cdbd04d4ed264e8c7b517530b2c9d12370f65c2473965bf70

SHA512
8a1a6c48a8db3614b0cb47fc04f0d964f2097123ac0eca01270823e408ef670334f16a401324dea5e7fd8c40e8204de81c92f318f74dd56f5ce8edcf1ed0bd17

Download Submit
C:\Windows\System32\drivers\SETBD8F.tmp

Filesize
348KB

MD5
2538a6573091d96f32c587ef418f8388

SHA1
41ab3ee31116c574570fa70228bd0ad20fee4ca1

SHA256
6ca273ebac7de2a7d2e34c19c4d5e85f8f54d1d796d317d3b7969b9ce05a7744

SHA512
05bc3559bd8ec20b0086fbaed0620bc9259d4f2d8d3aa372644a791035591a8b7fc7291387ff7d5f92da903ce2bfe827cb15a22f76aa192dc7daa6dc38306c39

Download Submit
C:\Windows\System32\drivers\SETBFC3.tmp

Filesize
46KB

MD5
6cee7521136e5b1eab4f723c44b8a850

SHA1
87fd9dab6304d19d6c9fefa44ebe5085c60a52a0

SHA256
0edd7f07bd14770a40b6895649f0715d234db0137f6456fa7b639e26f768ba38

SHA512
18e23156cc5a1b05e9a4a304442555786569ba99034f33c8b514e47e67609e7504e625680bef9926f8f5aeed3b8a60cb756c857295620f6dd5bc16c93bce862d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads