3e091df4051e6b0859c2142a0869a415e5968c20edb5e9a60fcd077f7b61be19

Analysis

max time kernel
48s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Evon Exploit V4_21630.exe
Size

8.7MB
MD5

98194b1fd3ceea50438976b40ea59d05
SHA1

ed918fbb5765aa91e5c9d2c492ec00667478ac35
SHA256

3e091df4051e6b0859c2142a0869a415e5968c20edb5e9a60fcd077f7b61be19
SHA512

9587acb23ee51e4743c5399b78b64f2a0e87e2413cd56e220df8c08ebe0f352ac0ca83c1826f09718876a6248057e9cbac0f38ee725de83b4ca7de4f805f30bf
SSDEEP

196608:wu6nOE62LOa8ewFCrqNeuUG59Fa9FVDNWXVkHo/ly:MOb2C6wFCrqNZ529PDNs2Ho/k

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nraaocow.qjc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nraaocow.qjc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nraaocow.qjc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GenericSetup.exeRoblox Evon Exploit V4_21630.exenraaocow.qjc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	GenericSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Roblox Evon Exploit V4_21630.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	nraaocow.qjc.exe

Executes dropped EXE 7 IoCs

Processes:

setup21630.exeGenericSetup.exesetup21630.exeGenericSetup.exeOfferInstaller.exenraaocow.qjc.exeAVGBrowserUpdateSetup.exe

pid	process
5100	setup21630.exe
332	GenericSetup.exe
4544	setup21630.exe
4972	GenericSetup.exe
692	OfferInstaller.exe
1976	nraaocow.qjc.exe
1144	AVGBrowserUpdateSetup.exe

Loads dropped DLL 44 IoCs

Processes:

GenericSetup.exeGenericSetup.exeOfferInstaller.exenraaocow.qjc.exe

pid	process
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
4972	GenericSetup.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
692	OfferInstaller.exe
1976	nraaocow.qjc.exe
1976	nraaocow.qjc.exe
1976	nraaocow.qjc.exe
1976	nraaocow.qjc.exe
1976	nraaocow.qjc.exe
1976	nraaocow.qjc.exe
1976	nraaocow.qjc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 10 IoCs

Security Software Discovery

T1063

Processes:

GenericSetup.exenraaocow.qjc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	nraaocow.qjc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\AVAST Software\Avast	nraaocow.qjc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	GenericSetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	GenericSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

nraaocow.qjc.exe

description ioc process

File opened for modification \??\PhysicalDrive0 nraaocow.qjc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	nraaocow.qjc.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nraaocow.qjc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	nraaocow.qjc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	nraaocow.qjc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

Processes:

Roblox Evon Exploit V4_21630.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings Roblox Evon Exploit V4_21630.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	Roblox Evon Exploit V4_21630.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

OfferInstaller.exenraaocow.qjc.exeGenericSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	OfferInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	OfferInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	OfferInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	nraaocow.qjc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	nraaocow.qjc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	nraaocow.qjc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	nraaocow.qjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	GenericSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	nraaocow.qjc.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4032 NOTEPAD.EXE

pid	process
4032	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GenericSetup.exeRoblox Evon Exploit V4_21630.exe

pid	process
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
332	GenericSetup.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GenericSetup.exeOfferInstaller.exe

description pid process

Token: SeDebugPrivilege 332 GenericSetup.exe
Token: SeDebugPrivilege 692 OfferInstaller.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Roblox Evon Exploit V4_21630.exeGenericSetup.exe

pid process

1728 Roblox Evon Exploit V4_21630.exe
1728 Roblox Evon Exploit V4_21630.exe
332 GenericSetup.exe

description	pid	process
Token: SeDebugPrivilege	332	GenericSetup.exe
Token: SeDebugPrivilege	692	OfferInstaller.exe

pid	process
1728	Roblox Evon Exploit V4_21630.exe
1728	Roblox Evon Exploit V4_21630.exe
332	GenericSetup.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Roblox Evon Exploit V4_21630.exesetup21630.exesetup21630.exeGenericSetup.exeOfferInstaller.execmd.exefirefox.exefirefox.exenraaocow.qjc.exe

description	pid	process	target process
PID 1728 wrote to memory of 5100	1728	Roblox Evon Exploit V4_21630.exe	setup21630.exe
PID 1728 wrote to memory of 5100	1728	Roblox Evon Exploit V4_21630.exe	setup21630.exe
PID 1728 wrote to memory of 5100	1728	Roblox Evon Exploit V4_21630.exe	setup21630.exe
PID 5100 wrote to memory of 332	5100	setup21630.exe	GenericSetup.exe
PID 5100 wrote to memory of 332	5100	setup21630.exe	GenericSetup.exe
PID 5100 wrote to memory of 332	5100	setup21630.exe	GenericSetup.exe
PID 1728 wrote to memory of 4544	1728	Roblox Evon Exploit V4_21630.exe	setup21630.exe
PID 1728 wrote to memory of 4544	1728	Roblox Evon Exploit V4_21630.exe	setup21630.exe
PID 1728 wrote to memory of 4544	1728	Roblox Evon Exploit V4_21630.exe	setup21630.exe
PID 4544 wrote to memory of 4972	4544	setup21630.exe	GenericSetup.exe
PID 4544 wrote to memory of 4972	4544	setup21630.exe	GenericSetup.exe
PID 4544 wrote to memory of 4972	4544	setup21630.exe	GenericSetup.exe
PID 332 wrote to memory of 692	332	GenericSetup.exe	OfferInstaller.exe
PID 332 wrote to memory of 692	332	GenericSetup.exe	OfferInstaller.exe
PID 332 wrote to memory of 692	332	GenericSetup.exe	OfferInstaller.exe
PID 1728 wrote to memory of 4032	1728	Roblox Evon Exploit V4_21630.exe	NOTEPAD.EXE
PID 1728 wrote to memory of 4032	1728	Roblox Evon Exploit V4_21630.exe	NOTEPAD.EXE
PID 1728 wrote to memory of 4032	1728	Roblox Evon Exploit V4_21630.exe	NOTEPAD.EXE
PID 692 wrote to memory of 2168	692	OfferInstaller.exe	cmd.exe
PID 692 wrote to memory of 2168	692	OfferInstaller.exe	cmd.exe
PID 692 wrote to memory of 2168	692	OfferInstaller.exe	cmd.exe
PID 2168 wrote to memory of 1976	2168	cmd.exe	nraaocow.qjc.exe
PID 2168 wrote to memory of 1976	2168	cmd.exe	nraaocow.qjc.exe
PID 2168 wrote to memory of 1976	2168	cmd.exe	nraaocow.qjc.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 4568 wrote to memory of 564	4568	firefox.exe	firefox.exe
PID 564 wrote to memory of 3412	564	firefox.exe	firefox.exe
PID 564 wrote to memory of 3412	564	firefox.exe	firefox.exe
PID 1976 wrote to memory of 1144	1976	nraaocow.qjc.exe	AVGBrowserUpdateSetup.exe
PID 1976 wrote to memory of 1144	1976	nraaocow.qjc.exe	AVGBrowserUpdateSetup.exe
PID 1976 wrote to memory of 1144	1976	nraaocow.qjc.exe	AVGBrowserUpdateSetup.exe

C:\Users\Admin\AppData\Local\Temp\Roblox Evon Exploit V4_21630.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Evon Exploit V4_21630.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\setup21630.exe
C:\Users\Admin\AppData\Local\setup21630.exe hhwnd=786490 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-2lUia
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.exe
.\GenericSetup.exe hhwnd=786490 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-2lUia
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\OfferInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\OfferInstaller.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\nraaocow.qjc.exe" /s /run_source=avg_ads_lava "
5⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\nraaocow.qjc.exe
"C:\Users\Admin\AppData\Local\Temp\nraaocow.qjc.exe" /s /run_source=avg_ads_lava
6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\nsa209A.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9163&installargs=--reset-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome --private-browsing"
7⤵
- Executes dropped EXE
PID:1144

C:\Program Files (x86)\GUM3AB7.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUM3AB7.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9163&installargs=--reset-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome --private-browsing"
8⤵
PID:764

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
9⤵
PID:4028

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
9⤵
PID:4832

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
10⤵
PID:3488

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
10⤵
PID:1164

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
10⤵
PID:3040

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTU4Mi4zIiBzaGVsbF92ZXJzaW9uPSIxLjguMTU4Mi4zIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezQwNkM4QzRDLUMyMzYtNDA5NC05NDdFLTUxNTFERjZBOEY1RH0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntGQjNEMEY5Mi04MDJELTQ4M0QtQkRGMi1GMDIzRDY0QTA5QTN9IiB1c2VyaWRfZGF0ZT0iMjAyMzA0MDMiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMDQwMyIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9InswMkU5QjQ3NC04MUE5LTQ2MEQtQUQ3RS02RDUxOTQ0RUQwRDB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNTgyLjMiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTE2MyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjMxMiIvPjwvYXBwPjwvcmVxdWVzdD4
9⤵
PID:5340

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9163&installargs=--reset-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome --private-browsing" /installsource otherinstallcmd /sessionid "{406C8C4C-C236-4094-947E-5151DF6A8F5D}" /silent
9⤵
PID:5496

C:\Users\Admin\AppData\Local\setup21630.exe
C:\Users\Admin\AppData\Local\setup21630.exe hready
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.exe
.\GenericSetup.exe hready
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4972

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.0.1762098593\1360193220" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d477978-6d3c-4287-9e4c-85686f97bd9d} 564 "\\.\pipe\gecko-crash-server-pipe.564" 1916 23a95a17a58 gpu
3⤵
PID:3412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.1.600826867\1311215475" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6631bd-3b81-4aec-81d0-d8f9c5d01399} 564 "\\.\pipe\gecko-crash-server-pipe.564" 2316 23a87a72858 socket
3⤵
PID:3776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.2.1756897309\1879782390" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3056 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {930d09a4-6aa7-4f9b-83b0-fd6dd0f12954} 564 "\\.\pipe\gecko-crash-server-pipe.564" 3032 23a98708258 tab
3⤵
PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.3.25946692\2053756205" -childID 2 -isForBrowser -prefsHandle 2464 -prefMapHandle 1460 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e340f5b5-56cf-404e-954c-024c87c77c8a} 564 "\\.\pipe\gecko-crash-server-pipe.564" 1184 23a87a71c58 tab
3⤵
PID:1096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.4.257217020\671492422" -childID 3 -isForBrowser -prefsHandle 3996 -prefMapHandle 3992 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41da04f4-4295-4153-b148-a147a547b32c} 564 "\\.\pipe\gecko-crash-server-pipe.564" 4016 23a87a5c758 tab
3⤵
PID:3188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.6.1727000364\88215696" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6ddb4ff-ba11-40e7-b74b-f9f89a0a392b} 564 "\\.\pipe\gecko-crash-server-pipe.564" 4952 23a9aca6d58 tab
3⤵
PID:2112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.5.1380507041\1616625617" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd9a879b-33e5-456d-a74f-3ec98d10634a} 564 "\\.\pipe\gecko-crash-server-pipe.564" 4856 23a9aca7358 tab
3⤵
PID:1648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="564.7.551482960\1898785177" -childID 6 -isForBrowser -prefsHandle 5268 -prefMapHandle 4896 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de1b64a3-c440-4f73-995f-f6d765fff320} 564 "\\.\pipe\gecko-crash-server-pipe.564" 4816 23a9acb8658 tab
3⤵
PID:460

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
PID:5628

C:\Program Files (x86)\AVG\Browser\Update\Install\{C860EB89-D305-40B4-92EC-0FC172600613}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{C860EB89-D305-40B4-92EC-0FC172600613}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=1 --default-search=google.com --adblock-mode-default=1 --reset-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --private-browsing --system-level
2⤵
PID:5344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
Filesize
204KB

MD5
a2e0e8ff0bb8068d6e06db4b5da75806

SHA1
8ff63d9d3c7879f40070851e464241ab5ce82273

SHA256
9127425263da7557b33e7035258e661925c445c0443a825227b6e5a75093f964

SHA512
dccd0a4dca930ce8ad77487fdb7c92a70388c6eef4d6b662f8c766df57a250fe2096ede8122941ec62dfa51bed4cfa848bcf6e07dcd0fdd52920cf2c84095a32

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\111.0.20600.112\AVGBrowserInstaller.exe
Filesize
44.1MB

MD5
82eeaff47eeaed0b241d22f69c2c1c9a

SHA1
746aed5d66f2fe665d4885bb96737e7b5d085ec7

SHA256
c624babee2d6c6ac28ee7b624ee227f02345a352c21b13dcbb7384255d4fbe52

SHA512
e465da42e83a81d3044eca4790a57a65eac3eb5d9752a794794a785e7aaeb395336f6a43bef9299978fc02f86756f297be3b8dc787571ea8728dbcd4505c54d0

Download Submit
C:\Program Files (x86)\GUM3AB7.tmp\@PaxHeader
Filesize
27B

MD5
48ba00550856a9ff05d7a392d5c4e794

SHA1
a95be6fd0628f447336b8795b5379e31b1be1e7f

SHA256
987479993859b2a9e5b489b254a61f8cfd3ff28f65cfdae38ea085fb8e495107

SHA512
3acd0713af47971a6a66dac4c4e3d6c4e22fa8c3e8fe596249a25ea7a7daf0fafa07e8494558be962158ea6796aec84a2418d0efc2a90df95be2456e43a46f80

Download Submit
C:\Program Files (x86)\GUM3AB7.tmp\@PaxHeader
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\GUM3AB7.tmp\@PaxHeader
Filesize
28B

MD5
2b820b08905aa70d163f004a76b1f352

SHA1
f602407eea93a79bf43d32bf59ad55ea99d46778

SHA256
a1cb612b92d2447f16f20ee03a79ea090c6051568417207846323ce0090d5e5f

SHA512
2b2ead5d9f5407061e41a5f2528388dbe378b6c138d5af1dbcba04360bae8d5ef273b3d9966f0777f1e869da8b45f7ecd8231cc6d8deb902f57cbb0203c06c68

Download Submit
C:\Program Files (x86)\GUM3AB7.tmp\@PaxHeader
Filesize
26B

MD5
589f486fc36065c31a0c180369160412

SHA1
bc24991fb59d5df2eec7b0a8e8e42c60f8bc80c3

SHA256
87eb804d0326004b88d33c6360984c9053403006f872d32c9fdb2e0760b76fbd

SHA512
7a324f75a8922a50eca3667494d1b4261078b364061e013fff9acb5acd6687a153a0bd367c2321d64a47444c58d996dc456fb905f361b7c4c72d277fcac95535

Download Submit
C:\Program Files (x86)\GUM3AB7.tmp\@PaxHeader
Filesize
27B

MD5
cb55ddb279bbb3b5b738349a90535365

SHA1
c48288250f4c583a33abe89da5d6cd36115690f9

SHA256
54d0e9ffd1e0144a9d38dd34edbcb5cc87a86babb3dac8765f76eebbe9400de0

SHA512
85a4ff591c3a98627823e9761b897cbc29b5316d386a07b21d94faf1f7efa9696b3cf22ca0f5659be26d6093fa85e37e8d4c43f6ce98f1bdc0cf460a9561c3a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_5F5F520ABA6509FB550A7DDEB645B50F
Filesize
1KB

MD5
7d1fb2744bfc7eae37f74f22a76d17d2

SHA1
a26b33a9810cf3bb18ef84bb587bfff2fbe6ce3f

SHA256
6299d936814cea474fdb40b81696926b1d63b890488d988e703429f81e5651c6

SHA512
fb1bf2da8e6510f875c8b17d82d667cf799fcd2d225c4e9da3a367da8b17f08868a2b7a38b5f256e7f7684f375017e207c5052202b5fa5b0031a68f82fdd5577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_5F5F520ABA6509FB550A7DDEB645B50F
Filesize
520B

MD5
e7829ccbce6ae7da28f06d4e9eba56f8

SHA1
f037d3c1be9e2862887f9f49fef5018de848191b

SHA256
fc93a886a4f3574237eb5d475a37e730c5b95647b4cf76e041695ae29ae5fab2

SHA512
8893176c5b48768aac3dcd8252862c4c0898c81d6944abd175f62485babbdaf203b3bd9583aca7ae56e20fcccd596bca39d0f45c1c7fcfc91ac3e912297c87fc

Download Submit
C:\Users\Admin\AppData\Local\Adaware\OfferInstaller.exe_Url_whevfv1jmb1r2suwnso40052hlxlra1v\6.9.0.0\user.config
Filesize
798B

MD5
c76d70d8440a273c2b2a2764f33323b8

SHA1
3fe51b13b029129c5a491000f5ddd9b4019e81c1

SHA256
8f6658dfb498d9bc831670dffd055d850d327a2defd82e1f24416316b037135d

SHA512
9b70d62bd9edecbfa6cf6ee6c2d912247929b64fa8bd104a7275ffe977091ccc9e3bffa1ad7e93ae2b094c601e5876948d2c0b7e8ece759cf914bc4abf2575fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GenericSetup.exe.log
Filesize
621B

MD5
ad1a8f8d9ea2fe08bd64dd13d6ad450e

SHA1
46a4f5c0e86bedd8f94bdfa0e75005809fc3299b

SHA256
a70ec63df01049ca33e9e9ba171b339b71dc26d88dfbfdf31c15d22cb7bec5e4

SHA512
3bfa4bfedc2ca9922ecc85d7793c5cb47d285f0c4f98e555136f678498c86cf8c6664b3da099e1dd5a01c8151bf643c6a957268e281768b567dc4f5295c5d62c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp
Filesize
161KB

MD5
7b7cddf89de964b6f17adc26092b222b

SHA1
8ef4bbb432b4f0be56c3aad1e4d7844303c2f023

SHA256
d2c0bc630137dbcf26ed3ae0f71b24c17fb9199b5813e3d708f4c786dd38aa4d

SHA512
619846b273e461c2deccd53f068a4d9b11a7c5db2939caad81a88199cd70578817168f8cd6e6402698d218b1fcd430fa9fc6c9c0f481db7c7ca2be4da3452c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\DynActsBLL.dll
Filesize
25KB

MD5
c7151d4057d2b91da27bfab58415dd81

SHA1
bb945c91cdfb0960e785fb5a40b27d25fad448e5

SHA256
4263a69119ae27e65b3bf25e1552c89e1ff2dbf0fbd6865cbd69a95cf851d81b

SHA512
c1f0cb4dee96274fc700d65665690fe5f0075a4fcf9b0b0d12700908225c002efb8311bd8137984cdaffe978936d32a111c5153da8c1784a7f1b7d6204a28f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.exe
Filesize
25KB

MD5
85b0a721491803f8f0208a1856241562

SHA1
90beb8d419b83bd76924826725a14c03b3e6533f

SHA256
18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345

SHA512
8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.exe
Filesize
25KB

MD5
85b0a721491803f8f0208a1856241562

SHA1
90beb8d419b83bd76924826725a14c03b3e6533f

SHA256
18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345

SHA512
8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.exe
Filesize
25KB

MD5
85b0a721491803f8f0208a1856241562

SHA1
90beb8d419b83bd76924826725a14c03b3e6533f

SHA256
18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345

SHA512
8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\GenericSetup.exe.config
Filesize
814B

MD5
fd63ee3928edd99afc5bdf17e4f1e7b6

SHA1
1b40433b064215ea6c001332c2ffa093b1177875

SHA256
2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9

SHA512
1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\HtmlAgilityPack.dll
Filesize
149KB

MD5
7874850410e21b5f48bfe34174fb318c

SHA1
19522b1b9d932aa89df580c73ef629007ec32b6f

SHA256
c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

SHA512
dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\HtmlAgilityPack.dll
Filesize
149KB

MD5
7874850410e21b5f48bfe34174fb318c

SHA1
19522b1b9d932aa89df580c73ef629007ec32b6f

SHA256
c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

SHA512
dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\HtmlAgilityPack.dll
Filesize
149KB

MD5
7874850410e21b5f48bfe34174fb318c

SHA1
19522b1b9d932aa89df580c73ef629007ec32b6f

SHA256
c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

SHA512
dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\Newtonsoft.Json.dll
Filesize
476KB

MD5
3c4d2f6fd240dc804e10bbb5f16c6182

SHA1
30d66e6a1ead9541133bad2c715c1971ae943196

SHA256
1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

SHA512
0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\OfferInstaller.exe
Filesize
27KB

MD5
2537635bcf851b0faaafc2b0c8eab06a

SHA1
1124433a701fb5e30b73c0fe901d78fd475a5460

SHA256
41f443757912fbadaff9d07c9dfc46a0078d20a512fb10e0a6fec454eea62f5b

SHA512
9f4a2c580be3dfc25a4ceb9aebc759fbabd6c218cc0777d9f07980edc30808bd03f3487bf9dd636513b5ad34f8547c762f6a0749de1019c5d0b94ef76b15e68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\OfferInstaller.exe.config
Filesize
313B

MD5
67ed4edc1d47444b046ad77f68cb2801

SHA1
15d183fc00e868e96e2b5f671bdf5b75678d7474

SHA256
c9dd581b481e198c4e83db6be03bec4bac64c02c6c6f9e3051c23c3df6f1301e

SHA512
f0beef571b8753c7f32a3e7b3716cdf782026268102510b4a6b0631036b8653d2087ab7b7489931c2cb35c1995bcf6eb7530a049d1f89f372282ceb46d402b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\de\GenericSetup.resources.dll
Filesize
17KB

MD5
b597e0a66eac08849cb8ca80f9f2e8b4

SHA1
a0405075964c52945c69c8e9d321ce74b39d63d3

SHA256
b0c5246b10d5dfaf55b2112910c1ca11815f066c2854eecd326c657a7e46ad57

SHA512
4e983f9d781abfc9d40360767e856bbbe5f7673e35a7176e6c85a92f63c7bb3b17445b274672808e78cb13c8055caf3ca9154f19ca7be8cec8b4434124a423da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\es\GenericSetup.resources.dll
Filesize
16KB

MD5
be272836941982a1a22473e27976766e

SHA1
f1ff4d69c805497bb9254df081b4c316844071ee

SHA256
971ae92220940ac6fbbd2ae155138c348de9ce2e6927fc83d48e27bbd988f3cd

SHA512
523d602b44417838c00448061562576ad87eb9e355fa1137c38fb4b9a860081e5b0e5a69c6899717e10854af2f63f56b1d82faf753fc299b525e0dbe34ebd247

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\fr\GenericSetup.resources.dll
Filesize
17KB

MD5
2cf788bac39113080f6ec4d54fb77720

SHA1
3c6e5dedd0b319ac940b49bb407f9ccaae6f6d7e

SHA256
403c4f149bede7ac73a2ff40a3e30e57c9e98ea24cff6121cda04e9ac38f13d8

SHA512
e7d2cbb430ad7c8a8d7f0526255f6bb35d6ff0214ebfaa663c9ca8d21914d029ddb7105ae1ed992bc3bc6615ef0b43c57195f3eba7004121a7aa3e0abe0ed3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\it\GenericSetup.resources.dll
Filesize
16KB

MD5
cedcf18bbabc93400beeb3f26022ac15

SHA1
975be24d7d9d788d23a578a6cf3f0de30224124b

SHA256
7b8ea36bf4afbe6d62623ba85239a6a57dbb710e067786bc0b67b6bdcb245c9b

SHA512
de38d30f313007b11535e1e4054dd132f889e88da1083ec51b1a94597da60030a04a3285f5d80e2a3637c81c5b22cedb7fc58207695ee5afe142c2695f0405dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\pt\GenericSetup.resources.dll
Filesize
16KB

MD5
b537a58b5ee8605d890fc46d0b6918c5

SHA1
06f38521367a13529df8e67bad88754fa517a137

SHA256
e529c65d0b4ff015109016d2567a511f56d04da4c8cf917c0490272220913ca2

SHA512
ff54a2ad53791780cb8a2797f3dd7e009d0c263e516ed4dd3d415ab124f4f90255af63a2e9cb8ee3a5d8b0afb7065e3a3ec12ab48c23d3435332aadab5e12f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0C141096\ru\GenericSetup.resources.dll
Filesize
18KB

MD5
7ea51496582b5b25fd9e6db9de6d1b8d

SHA1
50654a76676458916bc08e7121d7a161e852366e

SHA256
ad97150baedb7406086e2bed93e121a0cbf40459643c3ad3a0669b659d5ff2c2

SHA512
5a4099f7e7e576691b6cde4783702fdc52154388ab3c1361fa3567a9a900c08f2e9e6569c53d9df7469e26c78511a63ff682a0e464d9098844fcba036f814a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\DynActsBLL.dll
Filesize
25KB

MD5
c7151d4057d2b91da27bfab58415dd81

SHA1
bb945c91cdfb0960e785fb5a40b27d25fad448e5

SHA256
4263a69119ae27e65b3bf25e1552c89e1ff2dbf0fbd6865cbd69a95cf851d81b

SHA512
c1f0cb4dee96274fc700d65665690fe5f0075a4fcf9b0b0d12700908225c002efb8311bd8137984cdaffe978936d32a111c5153da8c1784a7f1b7d6204a28f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\DynActsBLL.dll
Filesize
25KB

MD5
c7151d4057d2b91da27bfab58415dd81

SHA1
bb945c91cdfb0960e785fb5a40b27d25fad448e5

SHA256
4263a69119ae27e65b3bf25e1552c89e1ff2dbf0fbd6865cbd69a95cf851d81b

SHA512
c1f0cb4dee96274fc700d65665690fe5f0075a4fcf9b0b0d12700908225c002efb8311bd8137984cdaffe978936d32a111c5153da8c1784a7f1b7d6204a28f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\DynActsBLL.dll
Filesize
25KB

MD5
c7151d4057d2b91da27bfab58415dd81

SHA1
bb945c91cdfb0960e785fb5a40b27d25fad448e5

SHA256
4263a69119ae27e65b3bf25e1552c89e1ff2dbf0fbd6865cbd69a95cf851d81b

SHA512
c1f0cb4dee96274fc700d65665690fe5f0075a4fcf9b0b0d12700908225c002efb8311bd8137984cdaffe978936d32a111c5153da8c1784a7f1b7d6204a28f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.LastScreen.dll
Filesize
31KB

MD5
3319432d3a694a481f5672fa9eb743d0

SHA1
99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9

SHA256
768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693

SHA512
7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.dll
Filesize
6.8MB

MD5
4d65e6eb25db2ce61f4a7a48d9f6082a

SHA1
130abbae19f227b0ef4f278e90398b3b3c7c2eff

SHA256
1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a

SHA512
b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.exe
Filesize
25KB

MD5
85b0a721491803f8f0208a1856241562

SHA1
90beb8d419b83bd76924826725a14c03b3e6533f

SHA256
18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345

SHA512
8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.exe
Filesize
25KB

MD5
85b0a721491803f8f0208a1856241562

SHA1
90beb8d419b83bd76924826725a14c03b3e6533f

SHA256
18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345

SHA512
8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\GenericSetup.exe.config
Filesize
814B

MD5
fd63ee3928edd99afc5bdf17e4f1e7b6

SHA1
1b40433b064215ea6c001332c2ffa093b1177875

SHA256
2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9

SHA512
1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\HtmlAgilityPack.dll
Filesize
149KB

MD5
7874850410e21b5f48bfe34174fb318c

SHA1
19522b1b9d932aa89df580c73ef629007ec32b6f

SHA256
c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

SHA512
dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\HtmlAgilityPack.dll
Filesize
149KB

MD5
7874850410e21b5f48bfe34174fb318c

SHA1
19522b1b9d932aa89df580c73ef629007ec32b6f

SHA256
c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

SHA512
dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\HtmlAgilityPack.dll
Filesize
149KB

MD5
7874850410e21b5f48bfe34174fb318c

SHA1
19522b1b9d932aa89df580c73ef629007ec32b6f

SHA256
c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1

SHA512
dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Newtonsoft.Json.dll
Filesize
476KB

MD5
3c4d2f6fd240dc804e10bbb5f16c6182

SHA1
30d66e6a1ead9541133bad2c715c1971ae943196

SHA256
1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

SHA512
0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Newtonsoft.Json.dll
Filesize
476KB

MD5
3c4d2f6fd240dc804e10bbb5f16c6182

SHA1
30d66e6a1ead9541133bad2c715c1971ae943196

SHA256
1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

SHA512
0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Newtonsoft.Json.dll
Filesize
476KB

MD5
3c4d2f6fd240dc804e10bbb5f16c6182

SHA1
30d66e6a1ead9541133bad2c715c1971ae943196

SHA256
1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

SHA512
0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Newtonsoft.Json.dll
Filesize
476KB

MD5
3c4d2f6fd240dc804e10bbb5f16c6182

SHA1
30d66e6a1ead9541133bad2c715c1971ae943196

SHA256
1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

SHA512
0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Newtonsoft.Json.dll
Filesize
476KB

MD5
3c4d2f6fd240dc804e10bbb5f16c6182

SHA1
30d66e6a1ead9541133bad2c715c1971ae943196

SHA256
1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e

SHA512
0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\Ninject.dll
Filesize
133KB

MD5
ce80365e2602b7cff0222e0db395428c

SHA1
50c9625eda1d156c9d7a672839e9faaea1dffdbd

SHA256
3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5

SHA512
5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\OfferInstaller.exe
Filesize
27KB

MD5
2537635bcf851b0faaafc2b0c8eab06a

SHA1
1124433a701fb5e30b73c0fe901d78fd475a5460

SHA256
41f443757912fbadaff9d07c9dfc46a0078d20a512fb10e0a6fec454eea62f5b

SHA512
9f4a2c580be3dfc25a4ceb9aebc759fbabd6c218cc0777d9f07980edc30808bd03f3487bf9dd636513b5ad34f8547c762f6a0749de1019c5d0b94ef76b15e68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\OfferInstaller.exe
Filesize
27KB

MD5
2537635bcf851b0faaafc2b0c8eab06a

SHA1
1124433a701fb5e30b73c0fe901d78fd475a5460

SHA256
41f443757912fbadaff9d07c9dfc46a0078d20a512fb10e0a6fec454eea62f5b

SHA512
9f4a2c580be3dfc25a4ceb9aebc759fbabd6c218cc0777d9f07980edc30808bd03f3487bf9dd636513b5ad34f8547c762f6a0749de1019c5d0b94ef76b15e68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE34AD86\OfferInstaller.exe.config
Filesize
313B

MD5
67ed4edc1d47444b046ad77f68cb2801

SHA1
15d183fc00e868e96e2b5f671bdf5b75678d7474

SHA256
c9dd581b481e198c4e83db6be03bec4bac64c02c6c6f9e3051c23c3df6f1301e

SHA512
f0beef571b8753c7f32a3e7b3716cdf782026268102510b4a6b0631036b8653d2087ab7b7489931c2cb35c1995bcf6eb7530a049d1f89f372282ceb46d402b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1680572977\Resources\OfferPage.html
Filesize
1KB

MD5
5f29b47126c45d119442ad3b896f74eb

SHA1
801a4e5b7d01f81c9c398b4d8d9a5f49e5269eef

SHA256
4e85074502c0267e04b324cdbb46df644e040513e94dd13c6625fb2e039c9a3f

SHA512
81ddcda6399365ad83689b14d22488137b88a80988eeed40ff1678fc387cb098227f520514a3d1a2a213efb4a8f435d87f40647bbe35a273c8d277d2c639c18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1680572977\Resources\tis\Config.tis
Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1680572977\app.ico
Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1680572977\sciter32.dll
Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa209A.tmp\AVGBrowserUpdateSetup.exe
Filesize
1.6MB

MD5
34a8f08f336cc90a6746e954252074d5

SHA1
6e15049f46b7d84f72f5fd29b5763092101ffab0

SHA256
9bb292fe2685e6e274ee309c9c5926515cb126da4ff10b94e1595b9f63499ce7

SHA512
18c540e47d363561c59eb57ead438d5e1ee96f2b36ee4089789d7c5bf6ddfece2b4c9031f65521427ddff325803ba85c632b0082c224876d0d8668f22fd8e55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa209A.tmp\CR.History.tmp
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa209A.tmp\CR.History.tmp
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa209A.tmp\Midex.dll
Filesize
126KB

MD5
00fd199d6b8d08446f4862c31b191ca7

SHA1
b6ff09243cb10e34ed8efbdd822add98585008d4

SHA256
1b2a0de815e288161f0a156b4d1f17f06d2f4840b71d9d1903ad1284192cde24

SHA512
fd5e07ac20a40600c2117793f1c5253f2f6113c38cafc71ac87296d92c50217af4aeb3f44fd2834ec08d89dd8434ab1952262123eced279210236bb770c18ad7

Download Submit
C:\Users\Admin\AppData\Local\setup21630.exe
Filesize
3.1MB

MD5
369acf60d8b5ed6168c74955ee04654f

SHA1
1753fff63efa6ed5ad30ede6b959261ac67dd13e

SHA256
3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632

SHA512
2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

Download Submit
C:\Users\Admin\AppData\Local\setup21630.exe
Filesize
3.1MB

MD5
369acf60d8b5ed6168c74955ee04654f

SHA1
1753fff63efa6ed5ad30ede6b959261ac67dd13e

SHA256
3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632

SHA512
2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

Download Submit
C:\Users\Admin\AppData\Local\setup21630.exe
Filesize
3.1MB

MD5
369acf60d8b5ed6168c74955ee04654f

SHA1
1753fff63efa6ed5ad30ede6b959261ac67dd13e

SHA256
3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632

SHA512
2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
9c32649366fd260a2ff92850d89b01c9

SHA1
845bc7f759ef83ed4ac8477602bd45fd1d66f64a

SHA256
699eb013bfa89ec765957a1e8ec8cd3702f384a46a60304d87db91343ef6e23f

SHA512
3932c6e39dbd4484aa76548dd5f7132fa7b32eac1b92bdd0a778b5741e3558a2b182af030fecb0c58f3d429826d4572762f8f8f651beb9c1a5194466ddba8a03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
e33809c45307c2aa4d89a4ecfe1f9955

SHA1
9dfca14aa6b5c51d1d58ffc02624383f2a4e2484

SHA256
222073f5d92a800b29badab95427667917ca81893683cbcfc909058379f6484e

SHA512
d3d5b655b375d460bfd4be519130217f2d2e503cdee37889d256962b394d559693180fd2a69c7f2daa580338c35d0b4b138144ad25ba98284b3717ae6bf02bf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js
Filesize
6KB

MD5
d08a098c1e1a1d8af90b5a4352c4e57c

SHA1
21e95eb4cd8a620a34060a06103852502c1662f8

SHA256
dcb5904f94794ea09c53b247fde955b76930b3b8a71a81fe5cbc7614822f63f1

SHA512
2b38ac0d1c2db36485647b1c672a542ac7bb9e60675d45d0a8c5f8fe4ca2c3fd5c7664549d2fdb341a8245aed171c5b9d0d6ee43aea4f3166bfbe624c35309d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js
Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
11e21bf89d579ba6eaed0e9da827c3c7

SHA1
d5beed19e6964c2146b1b6669b92e86e7b5e13c4

SHA256
821bb7ccefcfda78be3b8f5acf3c943691de1fdbf4eaf7a9d07da0b536daeaa2

SHA512
5b4edfe84dd0ca93c6c194e14d3e7f09075ee967a7e745124e756d590f910111b4c794afadddc66775ebba80a6ff76e849793f845460cd0f9f412e7c97ee0157

Download Submit
C:\Users\Admin\Downloads\Evon.WuQP0obK.zip.part
Filesize
8.8MB

MD5
01ecc9d9155859c660773ef9f5d8197a

SHA1
5bd1e02c070122ffc2df9b9cf6e238a136e0dd9d

SHA256
c450e69042b0edbbc364b10af01b74eda3562339c99eb9b8a2f28ddf86c0245f

SHA512
3ca6682a32d65af93ce9fd52d6e43d825a21db71f9f7c4f101abdd47b0bb1f008040ca6790d0d36d3aad0001ee32d45176f9a93c32a5953a10d9241b56526bf0

Download Submit
memory/332-210-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/332-278-0x00000000066F0000-0x000000000671E000-memory.dmp

Filesize
184KB

Download
memory/332-204-0x00000000058F0000-0x000000000591C000-memory.dmp

Filesize
176KB

Download
memory/332-267-0x00000000079E0000-0x0000000007A72000-memory.dmp

Filesize
584KB

Download
memory/332-293-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/332-255-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/332-200-0x0000000005830000-0x0000000005858000-memory.dmp

Filesize
160KB

Download
memory/332-205-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/332-196-0x0000000005EE0000-0x00000000065BA000-memory.dmp

Filesize
6.9MB

Download
memory/332-192-0x0000000005410000-0x000000000541C000-memory.dmp

Filesize
48KB

Download
memory/332-188-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/332-209-0x0000000005E70000-0x0000000005E82000-memory.dmp

Filesize
72KB

Download
memory/332-249-0x0000000007090000-0x000000000710C000-memory.dmp

Filesize
496KB

Download
memory/692-384-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/692-395-0x0000000002CE0000-0x0000000002CEA000-memory.dmp

Filesize
40KB

Download
memory/692-391-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/692-426-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/692-496-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download