534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c

Analysis

max time kernel
145s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
Size

1.2MB
MD5

d34a94dd27758b9f87cd79397a50b3f9
SHA1

85446174bc7127290363f582dc16c87cf0ba703f
SHA256

534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c
SHA512

05246d7d99fa80fc7115265f0434f783f817d7cdf62adce0543549c6b357f69884e50c66bc13fac0a9b1e918dbb966fd4a92b8c9cbae96ca051a4603820785fd
SSDEEP

24576:yuKVnCkDa+h+vyfamLEOw00yxINwObBKMFvHTUsWRRiReEpu3yvj5oFKkj:qRG+KK3ExyxI6OUMFvHTmWwEpcs54Rj

Score

10^/10

adware discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{0303AE19-BCF3-42B1-A8DB-A300A8184C15} = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|App=C:\\ProgramData\\zoomify2\\1.1.0.29\\cozhost.exe\|Name=zoomify\|"	cozhost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	cozhost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{0303AE19-BCF3-42B1-A8DB-A300A8184C15} = "v2.10\|Action=Allow\|Active=TRUE\|Dir=In\|App=C:\\ProgramData\\zoomify2\\1.1.0.29\\cozhost.exe\|Name=zoomify\|"	cozhost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	cozhost.exe

Executes dropped EXE 13 IoCs

pid	Process
1828	cozhost.exe
1456	cozhost.exe
1352	cozwhost.exe
972	cozhost.exe
1616	coz32host.exe
1512	cozwhost.exe
2176	cozhost.exe
2196	coz64host.exe
1200	Process not Found
2228	cozhost.exe
2248	cozahost.exe
2336	cozhost.exe
2356	cozahost.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32\ = "C:\\ProgramData\\zoomify2\\1.1.0.29\\zoomify64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32	regsvr32.exe

Loads dropped DLL 64 IoCs

pid	Process
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1828	cozhost.exe
1752	regsvr32.exe
1372	regsvr32.exe
1212	regsvr32.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1352	cozwhost.exe
1352	cozwhost.exe
972	cozhost.exe
972	cozhost.exe
1616	coz32host.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 14 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}}	cozhost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	cozhost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	cozhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}}\NoExplorer = "1"	cozhost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}}	cozhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}\ = "script helper for ie"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}\NoExplorer = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}}\NoExplorer = "1"	cozhost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}	cozhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}\ = "script helper for ie"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}	cozhost.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KU1OP2NS.txt	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_A250FA44615D767A3F3B7AFA283419C9	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery-ui.min[1].js	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.min[1].js	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_01B1031F6736E831E4D73D2798F7305E	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bootstrap.min[1].js	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\cr[1].html	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\update[1].htm	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_01B1031F6736E831E4D73D2798F7305E	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3KX2YWYU.txt	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KU1OP2NS.txt	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MS2L84JT.htm	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_A250FA44615D767A3F3B7AFA283419C9	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserrordiagoff[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\js[1].js	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3KX2YWYU.txt	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XA7ZX5JD.htm	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	cozhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\cr[1].htm	cozhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70	cozhost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\Tempo Runner coz32host.job	cozhost.exe
File created	C:\Windows\Tasks\Tempo Runner coz64host.job	cozhost.exe
File opened for modification	C:\Windows\Tasks\Tempo Runner coz64host.job	cozhost.exe
File created	C:\Windows\Tasks\Tempo Runner cozahost.job	cozhost.exe
File opened for modification	C:\Windows\Tasks\Tempo Runner cozahost.job	cozhost.exe
File created	C:\Windows\Tasks\Tempo Runner coz32host.job	cozhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	cozhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	cozahost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67\WpadDecisionReason = "1"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	cozhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadNetworkName = "Network 2"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67\WpadDecision = "0"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\72-d8-5c-a7-f4-67	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	cozhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cozhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadDecisionReason = "1"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadDecision = "0"	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	cozhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	cozhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cozhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cozhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadDecisionTime = 0031560c7602d901	cozhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67\WpadDecisionTime = 0031560c7602d901	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	cozhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	cozhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cozhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cozhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	cozhost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\ProgID\ = "wit4ie.WitBHO.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\VersionIndependentProgID\ = "wit4ie.WitBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32\ = "C:\\ProgramData\\zoomify2\\1.1.0.29\\zoomify32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\ = "Zoomify"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\ = "Zoomify"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\ = "wit4ie 2.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID\ = "{72351B45-9636-4F99-820B-7C552D27897D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\ = "IWitBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID\ = "{72351B45-9636-4F99-820B-7C552D27897D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\HELPDIR\ = "C:\\ProgramData\\zoomify2\\1.1.0.29"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}\ = "wit4ie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID\ = "{72351B45-9636-4F99-820B-7C552D27897D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\ = "Zoomify"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID\ = "{72351B45-9636-4F99-820B-7C552D27897D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\ = "IWitBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\ = "Zoomify"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\0\win32\ = "C:\\ProgramData\\zoomify2\\1.1.0.29\\zoomify32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\TypeLib\ = "{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}\TypeLib\ = "{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1F35F0B-FED4-4BB8-9343-D68619D62E6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\ = "Zoomify"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\VersionIndependentProgID\ = "wit4ie.WitBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\InprocServer32\ = "C:\\ProgramData\\zoomify2\\1.1.0.29\\zoomify64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\ProgID\ = "wit4ie.WitBHO.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\TypeLib\ = "{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\FLAGS	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	cozhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	cozhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	cozhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	cozhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	cozhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	cozhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	cozhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	cozhost.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
1828	cozhost.exe
1828	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1512	cozwhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1512	cozwhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	cozahost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
Token: SeDebugPrivilege	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
Token: SeDebugPrivilege	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
Token: SeDebugPrivilege	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
Token: 33	1732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1732	AUDIODG.EXE
Token: 33	1732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1732	AUDIODG.EXE
Token: SeDebugPrivilege	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1828	cozhost.exe
1828	cozhost.exe
1828	cozhost.exe
1828	cozhost.exe
1828	cozhost.exe
1828	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1456	cozhost.exe
1828	cozhost.exe
1828	cozhost.exe
1616	coz32host.exe
1828	cozhost.exe
1828	cozhost.exe
2196	coz64host.exe
2248	cozahost.exe
2248	cozahost.exe
2356	cozahost.exe
2356	cozahost.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1828	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe	29
PID 1292 wrote to memory of 1828	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe	29
PID 1292 wrote to memory of 1828	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe	29
PID 1292 wrote to memory of 1828	1292	534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe	29
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1372	1828	cozhost.exe	31
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1828 wrote to memory of 1752	1828	cozhost.exe	32
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1752 wrote to memory of 1212	1752	regsvr32.exe	33
PID 1456 wrote to memory of 1352	1456	cozhost.exe	36
PID 1456 wrote to memory of 1352	1456	cozhost.exe	36
PID 1456 wrote to memory of 1352	1456	cozhost.exe	36
PID 1456 wrote to memory of 1352	1456	cozhost.exe	36
PID 1928 wrote to memory of 972	1928	taskeng.exe	39
PID 1928 wrote to memory of 972	1928	taskeng.exe	39
PID 1928 wrote to memory of 972	1928	taskeng.exe	39
PID 1928 wrote to memory of 972	1928	taskeng.exe	39
PID 972 wrote to memory of 1616	972	cozhost.exe	40
PID 972 wrote to memory of 1616	972	cozhost.exe	40
PID 972 wrote to memory of 1616	972	cozhost.exe	40
PID 972 wrote to memory of 1616	972	cozhost.exe	40
PID 1928 wrote to memory of 2176	1928	taskeng.exe	44
PID 1928 wrote to memory of 2176	1928	taskeng.exe	44
PID 1928 wrote to memory of 2176	1928	taskeng.exe	44
PID 1928 wrote to memory of 2176	1928	taskeng.exe	44
PID 2176 wrote to memory of 2196	2176	cozhost.exe	45
PID 2176 wrote to memory of 2196	2176	cozhost.exe	45
PID 2176 wrote to memory of 2196	2176	cozhost.exe	45
PID 2176 wrote to memory of 2196	2176	cozhost.exe	45
PID 1928 wrote to memory of 2228	1928	taskeng.exe	46
PID 1928 wrote to memory of 2228	1928	taskeng.exe	46
PID 1928 wrote to memory of 2228	1928	taskeng.exe	46
PID 1928 wrote to memory of 2228	1928	taskeng.exe	46
PID 2228 wrote to memory of 2248	2228	cozhost.exe	47
PID 2228 wrote to memory of 2248	2228	cozhost.exe	47
PID 2228 wrote to memory of 2248	2228	cozhost.exe	47
PID 2228 wrote to memory of 2248	2228	cozhost.exe	47
PID 1928 wrote to memory of 2336	1928	taskeng.exe	48
PID 1928 wrote to memory of 2336	1928	taskeng.exe	48
PID 1928 wrote to memory of 2336	1928	taskeng.exe	48
PID 1928 wrote to memory of 2336	1928	taskeng.exe	48
PID 2336 wrote to memory of 2356	2336	cozhost.exe	49
PID 2336 wrote to memory of 2356	2336	cozhost.exe	49
PID 2336 wrote to memory of 2356	2336	cozhost.exe	49
PID 2336 wrote to memory of 2356	2336	cozhost.exe	49

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	cozhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{72351B45-9636-4F99-820B-7C552D27897D} = "1"	cozhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	cozhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	cozhost.exe

C:\Users\Admin\AppData\Local\Temp\534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe
"C:\Users\Admin\AppData\Local\Temp\534cc0da6a73b50caea7b3f9ae5141419950389b71ff22b4af7f9ae55913de7c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe
  "C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe" /Firstime=1
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1828
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\ProgramData\zoomify2\1.1.0.29\zoomify32.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:1372
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\ProgramData\zoomify2\1.1.0.29\zoomify64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\ProgramData\zoomify2\1.1.0.29\zoomify64.dll"
      4⤵
      Registers COM server for autorun
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:1212

C:\PROGRA~3\zoomify2\110~1.29\cozhost.exe
C:\PROGRA~3\zoomify2\110~1.29\cozhost.exe /ts2=1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\ProgramData\zoomify2\1.1.0.29\cozwhost.exe
  C:\ProgramData\zoomify2\1.1.0.29\cozwhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1352

C:\Windows\system32\taskeng.exe
taskeng.exe {F9E1AF11-50D8-4B32-AF1F-DC947C0C7DDD} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe
  C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe /dgad="C:\ProgramData\zoomify2\1.1.0.29\coz32host.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\ProgramData\zoomify2\1.1.0.29\coz32host.exe
    "C:\ProgramData\zoomify2\1.1.0.29\coz32host.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1616
- C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe
  C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe /dgad="C:\ProgramData\zoomify2\1.1.0.29\coz64host.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\ProgramData\zoomify2\1.1.0.29\coz64host.exe
    "C:\ProgramData\zoomify2\1.1.0.29\coz64host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2196
- C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe
  C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe /dgad="C:\ProgramData\zoomify2\1.1.0.29\cozahost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\ProgramData\zoomify2\1.1.0.29\cozahost.exe
    "C:\ProgramData\zoomify2\1.1.0.29\cozahost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2248
- C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe
  C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe /dgad="C:\ProgramData\zoomify2\1.1.0.29\cozahost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\ProgramData\zoomify2\1.1.0.29\cozahost.exe
    "C:\ProgramData\zoomify2\1.1.0.29\cozahost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2356

C:\PROGRA~3\zoomify2\110~1.29\cozwhost.exe
C:\PROGRA~3\zoomify2\110~1.29\cozwhost.exe -scm
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe

Filesize
465KB

MD5
e68c5211f1b6942e3affaec742c32985

SHA1
8f9b56a97a096716fae5b090d7b11f93014c115c

SHA256
0df2e649b25b1e6c93c74616faf22a188027de3315b3ae58a9107f8766834fb5

SHA512
f4c46caa0fe08ecce0febf7b9a5cce5a73a603061fa2eb46b4a39195dd10e3bdc1476581604076fc3a8505c5eb8f231e5299c266079ff420876fdb6b47ad753e

Download Submit
C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe

Filesize
465KB

MD5
e68c5211f1b6942e3affaec742c32985

SHA1
8f9b56a97a096716fae5b090d7b11f93014c115c

SHA256
0df2e649b25b1e6c93c74616faf22a188027de3315b3ae58a9107f8766834fb5

SHA512
f4c46caa0fe08ecce0febf7b9a5cce5a73a603061fa2eb46b4a39195dd10e3bdc1476581604076fc3a8505c5eb8f231e5299c266079ff420876fdb6b47ad753e

Download Submit
C:\ProgramData\zoomify2\1.1.0.29\cozhost.exe

Filesize
465KB

MD5
e68c5211f1b6942e3affaec742c32985

SHA1
8f9b56a97a096716fae5b090d7b11f93014c115c

SHA256
0df2e649b25b1e6c93c74616faf22a188027de3315b3ae58a9107f8766834fb5

SHA512
f4c46caa0fe08ecce0febf7b9a5cce5a73a603061fa2eb46b4a39195dd10e3bdc1476581604076fc3a8505c5eb8f231e5299c266079ff420876fdb6b47ad753e

Download Submit
C:\ProgramData\zoomify2\1.1.0.29\zoomify.xpi

Filesize
62KB

MD5
d759d415e3597086d3e058c924a3d70e

SHA1
8958d9995036f8537e5add5157ec83f0e362e8c0

SHA256
acd4fda23ddc1c3f4d10baa1faba2fd75f6beb7c26cb110bae1fc9e36843e041

SHA512
d5ee46f23de3a9e91d218483d3bcde02d86624717c0b67840fc240d13d0b5d888734c070da767243694f90d424fa3334b6a504b42a390a1c8615e68b159e1ac6

Download Submit
C:\ProgramData\zoomify2\1.1.0.29\zoomify32.dll

Filesize
297KB

MD5
62edb19f13465e78cf0d549217a92f18

SHA1
1ef51be317b0e8c9c46283540a10129b4f4daac0

SHA256
7c83bb865244acc9de5effb2f55aa6a33969363a0448c7b52f4a008c26e03052

SHA512
106c0e60cacad163beda782b91a1b72936109f6379e455c7f709a840540f8bddb8abc4b11252a4c4b3910d1e844b64af893f00cfeb6b737ae0529e643ab72740

Download Submit
C:\ProgramData\zoomify2\1.1.0.29\zoomify64.dll

Filesize
381KB

MD5
15fdcb611b110da87ed130c14bdac4ed

SHA1
3732313f805a120c5b09a8cf11de1cd5a76a1d6b

SHA256
2d21e33aa5b2629ead96a3b5bf6eb341f8e655e295dd1e822ea56130195edf47

SHA512
4e794d2238f34d07cd03e95ee32b380e47e98899bf06049b3003af02f347f8ffc281d339c14ab5c9c5f0bc173423419580de5d76f4fb66b1157b03fedab381f8

Download Submit
C:\ProgramData\zoomify2\1.1.0.29\zoomifyutil32.dll

Filesize
399KB

MD5
dc8ddcad610201a4636a1835191fb379

SHA1
7b9a0f29730f6d41110020554b1f142ab8908971

SHA256
20e52b315508729cc8b9048d4c63c1325b8790805a5e8f423748712570203875

SHA512
34420d9980616e0ca60583f8a853196974720f1b5fe968841b96dcfcc537076def43d2c96764619732a2f0a7230bcb1f366e09f0b4c1510c4f4a9d04bc98bc7d

Download Submit
\ProgramData\zoomify2\1.1.0.29\cozhost.exe

Filesize
465KB

MD5
e68c5211f1b6942e3affaec742c32985

SHA1
8f9b56a97a096716fae5b090d7b11f93014c115c

SHA256
0df2e649b25b1e6c93c74616faf22a188027de3315b3ae58a9107f8766834fb5

SHA512
f4c46caa0fe08ecce0febf7b9a5cce5a73a603061fa2eb46b4a39195dd10e3bdc1476581604076fc3a8505c5eb8f231e5299c266079ff420876fdb6b47ad753e

Download Submit
\ProgramData\zoomify2\1.1.0.29\cozhost.exe

Filesize
465KB

MD5
e68c5211f1b6942e3affaec742c32985

SHA1
8f9b56a97a096716fae5b090d7b11f93014c115c

SHA256
0df2e649b25b1e6c93c74616faf22a188027de3315b3ae58a9107f8766834fb5

SHA512
f4c46caa0fe08ecce0febf7b9a5cce5a73a603061fa2eb46b4a39195dd10e3bdc1476581604076fc3a8505c5eb8f231e5299c266079ff420876fdb6b47ad753e

Download Submit
\ProgramData\zoomify2\1.1.0.29\zoomify32.dll

Filesize
297KB

MD5
62edb19f13465e78cf0d549217a92f18

SHA1
1ef51be317b0e8c9c46283540a10129b4f4daac0

SHA256
7c83bb865244acc9de5effb2f55aa6a33969363a0448c7b52f4a008c26e03052

SHA512
106c0e60cacad163beda782b91a1b72936109f6379e455c7f709a840540f8bddb8abc4b11252a4c4b3910d1e844b64af893f00cfeb6b737ae0529e643ab72740

Download Submit
\ProgramData\zoomify2\1.1.0.29\zoomify64.dll

Filesize
381KB

MD5
15fdcb611b110da87ed130c14bdac4ed

SHA1
3732313f805a120c5b09a8cf11de1cd5a76a1d6b

SHA256
2d21e33aa5b2629ead96a3b5bf6eb341f8e655e295dd1e822ea56130195edf47

SHA512
4e794d2238f34d07cd03e95ee32b380e47e98899bf06049b3003af02f347f8ffc281d339c14ab5c9c5f0bc173423419580de5d76f4fb66b1157b03fedab381f8

Download Submit
\ProgramData\zoomify2\1.1.0.29\zoomify64.dll

Filesize
381KB

MD5
15fdcb611b110da87ed130c14bdac4ed

SHA1
3732313f805a120c5b09a8cf11de1cd5a76a1d6b

SHA256
2d21e33aa5b2629ead96a3b5bf6eb341f8e655e295dd1e822ea56130195edf47

SHA512
4e794d2238f34d07cd03e95ee32b380e47e98899bf06049b3003af02f347f8ffc281d339c14ab5c9c5f0bc173423419580de5d76f4fb66b1157b03fedab381f8

Download Submit
\ProgramData\zoomify2\1.1.0.29\zoomifyutil32.dll

Filesize
399KB

MD5
dc8ddcad610201a4636a1835191fb379

SHA1
7b9a0f29730f6d41110020554b1f142ab8908971

SHA256
20e52b315508729cc8b9048d4c63c1325b8790805a5e8f423748712570203875

SHA512
34420d9980616e0ca60583f8a853196974720f1b5fe968841b96dcfcc537076def43d2c96764619732a2f0a7230bcb1f366e09f0b4c1510c4f4a9d04bc98bc7d

Download Submit
\ProgramData\zoomify2\1.1.0.29\zoomifyutil32.dll

Filesize
399KB

MD5
dc8ddcad610201a4636a1835191fb379

SHA1
7b9a0f29730f6d41110020554b1f142ab8908971

SHA256
20e52b315508729cc8b9048d4c63c1325b8790805a5e8f423748712570203875

SHA512
34420d9980616e0ca60583f8a853196974720f1b5fe968841b96dcfcc537076def43d2c96764619732a2f0a7230bcb1f366e09f0b4c1510c4f4a9d04bc98bc7d

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\InstallerUtils.dll

Filesize
174KB

MD5
7347e81aa7527980789eee8e13ba6acd

SHA1
8cd73cc10f01cb3332f99a7acfef9ea162f79539

SHA256
7ac282e932b7fe970188474d1480e8dac77f33fe3e4cefc196dbaee9f79d24f1

SHA512
6f9556e814e8c2c2defc4477c04944d75f33a034a529e4f854bb27f99189312652f6ae86798f24baa6b6c297fc8137450cacfffd4b4873d97333fdd33913afaa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nso1FB4.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/1212-162-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-185-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1292-60-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download