44caliber | cc16768fe66b11c07282c6d5d543701b85b283a44de51fdd4a9bd2a014f37b68

Resubmissions

24-09-2023 13:36

230924-qwaqyafd8s 10

24-09-2023 13:30

230924-qr3k6afd4x 10

Analysis

max time kernel
439s
max time network
442s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2023 13:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

EXPENSIVE LOADER.exe
Size

1.3MB
MD5

bfb9334833749790c0df81ab1489c5a9
SHA1

b38e3080dfb1d35ae303b9f0c14a7cf12621de7c
SHA256

cc16768fe66b11c07282c6d5d543701b85b283a44de51fdd4a9bd2a014f37b68
SHA512

e41a66d9932f7853c9015ef0361cfbf4702a31d356e97dae1fb9ece085b808cac0e9a5d6d70a2763d08b3f940aacc074181bae6755077933d97f9a92b93c65d1
SSDEEP

24576:bw3SBs2Mhfs2OcpIi5aO9z1dn7Az8Zk61NlPXYpky7vKCB/nO:E3P2MhkPTaz1tswiKPXYpkyjKCB/O

Score

10^/10

44caliber bootkit evasion persistence spyware stealer trojan

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Blocklisted process makes network request 1 IoCs

flow	pid	Process
350	5016	msiexec.exe

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\Kaspersky4Win-21-14\klif.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\Kaspersky4Win-21-14\SETED80.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\Kaspersky4Win-21-14\SETED80.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\Kaspersky4Win-21-14\klflt.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\Kaspersky4Win-21-14\SETED7F.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\Kaspersky4Win-21-14\SETED7F.tmp	MsiExec.exe

Executes dropped EXE 2 IoCs

pid	Process
3784	startup.exe
664	startup.exe

Loads dropped DLL 63 IoCs

pid	Process
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
664	startup.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
204	MsiExec.exe
4060	MsiExec.exe
4060	MsiExec.exe
4000	MsiExec.exe
352	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	startup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	startup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	startup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4256	EXPENSIVE LOADER.exe
4256	EXPENSIVE LOADER.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	startup.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Inf\oem1.PNF	MsiExec.exe
File created	C:\Windows\Inf\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSID624.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE968.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE512.tmp	msiexec.exe
File opened for modification	C:\Windows\installer	startup.exe
File opened for modification	C:\Windows\Installer\MSICDF1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC58.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\421858948\767729314.pri	LogonUI.exe
File opened for modification	C:\Windows\Installer\MSI2868.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9B0.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIE417.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEFC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3CC8CD12-5F5C-38C0-9557-8D379777C4AF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBA6.tmp	msiexec.exe
File created	C:\Windows\Inf\oem0.PNF	MsiExec.exe
File created	C:\Windows\Installer\e5dc806.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE00E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dc806.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID673.tmp	msiexec.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	EXPENSIVE LOADER.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EXPENSIVE LOADER.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	startup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	startup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\startup.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4524	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4256	EXPENSIVE LOADER.exe
4256	EXPENSIVE LOADER.exe
4256	EXPENSIVE LOADER.exe
4256	EXPENSIVE LOADER.exe
4256	EXPENSIVE LOADER.exe
4256	EXPENSIVE LOADER.exe
664	startup.exe
664	startup.exe
4060	MsiExec.exe
4060	MsiExec.exe
4060	MsiExec.exe
4060	MsiExec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
624	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	firefox.exe
Token: SeDebugPrivilege	3616	firefox.exe
Token: SeDebugPrivilege	4256	EXPENSIVE LOADER.exe
Token: SeShutdownPrivilege	664	startup.exe
Token: SeIncreaseQuotaPrivilege	664	startup.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	664	startup.exe
Token: SeAssignPrimaryTokenPrivilege	664	startup.exe
Token: SeLockMemoryPrivilege	664	startup.exe
Token: SeIncreaseQuotaPrivilege	664	startup.exe
Token: SeMachineAccountPrivilege	664	startup.exe
Token: SeTcbPrivilege	664	startup.exe
Token: SeSecurityPrivilege	664	startup.exe
Token: SeTakeOwnershipPrivilege	664	startup.exe
Token: SeLoadDriverPrivilege	664	startup.exe
Token: SeSystemProfilePrivilege	664	startup.exe
Token: SeSystemtimePrivilege	664	startup.exe
Token: SeProfSingleProcessPrivilege	664	startup.exe
Token: SeIncBasePriorityPrivilege	664	startup.exe
Token: SeCreatePagefilePrivilege	664	startup.exe
Token: SeCreatePermanentPrivilege	664	startup.exe
Token: SeBackupPrivilege	664	startup.exe
Token: SeRestorePrivilege	664	startup.exe
Token: SeShutdownPrivilege	664	startup.exe
Token: SeDebugPrivilege	664	startup.exe
Token: SeAuditPrivilege	664	startup.exe
Token: SeSystemEnvironmentPrivilege	664	startup.exe
Token: SeChangeNotifyPrivilege	664	startup.exe
Token: SeRemoteShutdownPrivilege	664	startup.exe
Token: SeUndockPrivilege	664	startup.exe
Token: SeSyncAgentPrivilege	664	startup.exe
Token: SeEnableDelegationPrivilege	664	startup.exe
Token: SeManageVolumePrivilege	664	startup.exe
Token: SeImpersonatePrivilege	664	startup.exe
Token: SeCreateGlobalPrivilege	664	startup.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4256	EXPENSIVE LOADER.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
3616	firefox.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
3972	LogonUI.exe
3972	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 4432 wrote to memory of 3616	4432	firefox.exe	72
PID 3616 wrote to memory of 3464	3616	firefox.exe	73
PID 3616 wrote to memory of 3464	3616	firefox.exe	73
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 3620	3616	firefox.exe	74
PID 3616 wrote to memory of 5116	3616	firefox.exe	75
PID 3616 wrote to memory of 5116	3616	firefox.exe	75
PID 3616 wrote to memory of 5116	3616	firefox.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EXPENSIVE LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\EXPENSIVE LOADER.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.0.1039636655\83812131" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20858 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd451729-bf91-4186-839b-78818eb879f4} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 1796 1b9cce05858 gpu
    3⤵
    PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.1.1241284991\94946193" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20939 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d1105ab-5072-44cf-9088-559bc06bbcc2} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2148 1b9cbbfaa58 socket
    3⤵
    - Checks processor information in registry
    PID:3620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.2.927367739\1469259695" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 20977 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc773b1e-2298-44dc-8779-feb41b3830e6} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2820 1b9cfff0e58 tab
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.3.1719165685\2088743859" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 26402 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22d992e6-1b7a-4843-ad99-efc7833ec34e} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 3376 1b9ce548958 tab
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.4.441682949\940761671" -childID 3 -isForBrowser -prefsHandle 4428 -prefMapHandle 4424 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {982f075b-c6a8-46de-9f9f-cd6b2d431128} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 4440 1b9d1bad258 tab
    3⤵
    PID:688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.5.606473319\1355184409" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4916 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8fef667-a05e-4605-b644-153bd53a0c6e} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 4864 1b9d200ee58 tab
    3⤵
    PID:352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.6.1033479621\1169493205" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5356 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a82e1476-ee8d-4496-b609-dc30c542edd5} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5364 1b9d2da0e58 tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.7.730701115\14954163" -childID 6 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57bde1e9-e5fa-4f0b-901b-38612a671782} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5404 1b9d2d9f058 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.8.1965085785\1152324815" -childID 7 -isForBrowser -prefsHandle 4620 -prefMapHandle 4764 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cce6cad-da1c-4284-ac84-f37121e496da} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 4752 1b9d1dd2b58 tab
    3⤵
    PID:824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.9.563298700\859709084" -childID 8 -isForBrowser -prefsHandle 2604 -prefMapHandle 5040 -prefsLen 26901 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afead270-aabb-4bfd-91d6-f49abef43415} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2716 1b9d3792558 tab
    3⤵
    PID:2964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.12.1571500771\1375517396" -childID 11 -isForBrowser -prefsHandle 9260 -prefMapHandle 9256 -prefsLen 26901 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f50286de-b6bc-481e-a5d5-20fa70c798db} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 9264 1b9d52b1d58 tab
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.11.1166292799\928344588" -childID 10 -isForBrowser -prefsHandle 9576 -prefMapHandle 9448 -prefsLen 26901 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {caac1163-728d-4fb2-93b7-64ca8f7ef6eb} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 9460 1b9d52b0e58 tab
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.10.1990551645\1620559728" -childID 9 -isForBrowser -prefsHandle 9588 -prefMapHandle 9652 -prefsLen 26901 -prefMapSize 232645 -jsInitHandle 1256 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7976c06a-e823-4192-98cc-bb22a427aec3} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 9640 1b9d4430658 tab
    3⤵
    PID:2208
- - C:\Users\Admin\Downloads\startup.exe
    "C:\Users\Admin\Downloads\startup.exe"
    3⤵
    - Executes dropped EXE
    PID:3784
  - - C:\Windows\temp\A293B84BFDA5EE114B30E6E06E795639\startup.exe
      "C:\Windows\temp\A293B84BFDA5EE114B30E6E06E795639\startup.exe" -initialNonSecureSetupPath="C:\Users\Admin\Downloads\startup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RepairMerge.hta
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4524

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\RepairMerge.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1868

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\7d07dc3e17944c138cdf33082e247984 /t 4744 /p 1868
1⤵
PID:960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 61616E4514EE0303B418DB4B468B904F
  2⤵
  - Loads dropped DLL
  PID:204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E6BDD5DE65EF8D520B6C502F5425475E E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E1442B1FDE7F3F537C3C01E0428AA4ED E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 489DD376D17C7FA097638DF074AC9D5E E Global\MSI0000
  2⤵
  PID:312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9BE919D1FBC32A021F42CAEAC5674798 E Global\MSI0000
  2⤵
  PID:2512
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 82350959E6EE00D2B81AF2516B7BFDCA E Global\MSI0000
  2⤵
  PID:1840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 361D69E9A87F62A011E103D5A4F17049
  2⤵
  - Loads dropped DLL
  PID:352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae9055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Cookies_Firefox(56).txt

Filesize
5KB

MD5
8c35d852297a36cf670c291124397729

SHA1
3b6e6570fe936ccd88e9cdf9fd771f35b7645060

SHA256
07500b245059d1e73be635c1ee5b45584f2b39e62a083886952d699711c76e48

SHA512
fabba2707b084ed4858b16d7a89d0c252b332d11fa6b47ad57278b0771ccf15bb66932de969aed91f1cd1bef431ae7c8cefb86efde4213bdeb5a73f3e73b8d61

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
175B

MD5
83a0d7f141c0f89020420a4af59e0e33

SHA1
874837c3ecd12dee0085e0f835ffb0ba1bd16a0d

SHA256
5475cebd573e9d3be84f91a693c53c6ea91215ac9b37cd8630f8b86719f9cbdb

SHA512
6a49dc9d10a02c09c3266ab15fae8e7128f72c436f0bf3c0f3937d9990f1981f6fd76ddbe8715bb0ee452e7a6e614dc4f642474c0c2f0cfc2bb72f0f7a0ef26b

Download Submit
C:\ProgramData\44\Process.txt

Filesize
733B

MD5
89aaedd1238351a387173e13ce2d225f

SHA1
f92bb139f73339331fdcead46623abcab0accc2d

SHA256
88c6bcfe58edf303d3a606e9a36cc20e1755b5200ca6d26ab1885a826c7b40d7

SHA512
e127722625af04e7a4e50b000dc1ad891d96fd6f87696fed63af37c7d935b88b7ae5557fbb4dad414c80779e40709f10df046de0ac02c6f4fce8183203195b34

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
61b227b3e0ee274afa294c1a1b058a65

SHA1
b8cf2bb72263725de5163a20b61320a94457dc09

SHA256
3c65578bade85d2a679d6631efaa64d62248651fdbda38dcfdcdfb3f82118af3

SHA512
2280190d2d92844d111f74df048472ea5bfd0ae5cd6297bd4b961a2694f6e597122e24105b3bc0c34a875c1fead41bc4dbeb4784ba3ce23c5ebd682caef286ad

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\common.z

Filesize
11.7MB

MD5
b00512edceda910409882f96a88ac3e8

SHA1
ab96350417d56a45f986137f191b156488882e46

SHA256
c3164b704150e079688d45aac75ca47926337e7829de2ba7f78fd5e9f9b0fd98

SHA512
fb2cdf86704ad81571456472f3481026dc2784b264ae201e053f4ead2716ec175d2b32f74be85de1c2986110dc53861dbf945e105233a276c3fc6507648e6677

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\corebases.cab

Filesize
140.6MB

MD5
3b6b5dd3794cc11d6bcec28bddcbd649

SHA1
42c6395db839075073aafee3739869eaf2a57225

SHA256
d9113fc9b3329401226e473880684ebeb2469c9648035943689005727f4254fe

SHA512
ac4892f59e0de424518c5ca7d5fc5917345d8be0f5b4e0bb10e3f85cd01897dc24d516a1e879523a64aa98fedae921eb2a116c24b829e79319a8e7aa6bc8e13c

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\corebasesx64.cab

Filesize
339KB

MD5
17751ec93fa3a425e3c093db54e7a856

SHA1
230cae7b0cd2af727c3216fb62284ffa78c04ac5

SHA256
97db3ea71cd015399fce15208a88d34d7d703d9d221c2c9793ed08f877ef8b9e

SHA512
ac6d8f0b02650a2fbe5a2ca2cb4c29267c8b8e3b3a2076d2ef76c656d84ce01d55cc7e6445a2132be573e1572b57664b8918899e30dfbd5324b1cb40f42e4281

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\coreproduct.z

Filesize
41.9MB

MD5
b7527eae1e925e730c24fd210455d3a1

SHA1
a2de9211f0700eec7dfd7605dfd3efd69bbec0a0

SHA256
0753c1aabfd5cfa1ba2b739bdf108253fd1b8131a831d0c5d640150d29147938

SHA512
508e7975a50613c281224b79e3c4a56ff0bc2aaff8a19682f7abfef3a75f3de07464e0b3e3d60e423b5b3a52045bc2adf3bac5814a4fd4e90e938126d64aa515

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\coreproductgdpr.z

Filesize
71KB

MD5
bd0e042389758331431c82c479768140

SHA1
359b42ca77c0c247cf6815d1a82740a7ce0b6b2d

SHA256
3dea15e63eae36b5efe225bb561db514173cae3e8c5f975e9c5ec439043cefcd

SHA512
234c981c546794b9992577ad674858c9f8598a07ed98f48f5ced0609a6cd793a6a15efae1f9f525ed324850a306e86b953f10e7d719cafe90c7ff972dc077921

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\coreproductnogdpr.z

Filesize
69KB

MD5
2c39829bac1900eddb6f28bac3251e0f

SHA1
eccebc428799e37757cf9517a75faa7180e37d83

SHA256
5f8debf5128bc34334b709a29720c7b559823b16a0048e02c8bbb8eda0d4caf7

SHA512
624087fb3995b038eceafc95a05adcfdb87a96693b0c42722215a5a8fe3c26180ac842a505c39b1fbe35a3997d626cd9de3056c99616abf165f15ba331d3bec3

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\coreproductx64.z

Filesize
8.4MB

MD5
bc3ef951710859e1e7e32e9b30c086a7

SHA1
f2cd7f1d31e9ca73bafebdeb0d58040dad577dc7

SHA256
4aeee69e7d4e3e111314f714bea6605230c71ea32eeaa76c555dc307354a5574

SHA512
e0481ba6cdb240f2b2fb7a0dafab6cd30e2e8e4396d5c636d6a522908c7f2735a84147d37848b45fda660b62104392abbe38048f846323994a2b50f8850ba574

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\esb-win7x64.cab

Filesize
1.2MB

MD5
d1595b04107e1a8dd01e8cfd3de0246e

SHA1
99cf43d770e9ae47c703862aaee24d1da9a08bfd

SHA256
d79e9e2becb798126c41a6aa20d24da51b101c2ca8d23c6460b7d2bac21cedfc

SHA512
ded1603d69303fe4873a5166564286c1982cae1eacaa496a7f08005d4e3f742506caa94e17ce9b432f8320ffce2af1e86000bde3d5648f71c81d1266e04f8a89

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\esb-win8x64.cab

Filesize
1.1MB

MD5
0e664f07cd126c089479c9a45f702cd4

SHA1
e923b719889209fddae1b9373bb1231bea3d2009

SHA256
665d9b586434a2dc8d686ffaf0c5a312f16408ef182083bb2fdd0c159f7f976c

SHA512
e5c2f6e16d4fc143704d5951e9d25d49ab8152230789fbf0608113a9a0a5f654c3e9532eff09b8cea88d547264bb381d16ec72fd581aa29750674125260e12ae

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\ipm.cab

Filesize
125KB

MD5
fc3d5a4331b3508f1da7d949684b71cc

SHA1
7243662f9ebbced9ff74ae8e37c959f265480530

SHA256
21ea63b2f97b197c840b4086fb9f692abe356d555c4414c1e431f0896f58b363

SHA512
399b42b043326a7926503528497d3242740b6fa29ef437afe54f30027fc3b48a8e6b229fe31c18f8a2fa4f4137373cdb697afb4eac9c42d13f6c2f50cb84f15f

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\kdscrl.rdb

Filesize
3KB

MD5
79a78149e4ef2e6e09cc061338c7b151

SHA1
99505d2461a18f16d4d185603887c60e226347ee

SHA256
e6c0da20fc5d9eda24e4128faa5641f8b2d39951e0a0236c013e1f1efcbf83fd

SHA512
a3baf55b373b943f8f1c8840cdc2f02a94aed436c54fdcb8cf6eeac9b5840a5e1a11be0c70460da0c17f6fda1b01b87f4e2a688abb5ddeb7819301a1354d688e

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\kleaner.cab

Filesize
2.9MB

MD5
3fd380bcc05a6dc2ba88b05ef195a117

SHA1
0f83893c839bff6277450b477484c8f8221af6b1

SHA256
6df0d4fc2118a9b43078d5533a8387fa0167f14a72981c11798d44355f4b6b3b

SHA512
e507f96ad4c5b96c859de923b4fa7f438ef0af1e54da2fc9f5418fed1a2283b4dc5ea8138f8233da76c9dfa080c5c3b9608ad288c7ad28e9ce5c07706fab37d4

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\product.cab

Filesize
7.5MB

MD5
cc17af4b02e432b50e3d8b5afd9edc42

SHA1
63d2a426ac90821a1e25b5a5fcc8aadcd3575e41

SHA256
64b2114af30765cc61175881046568f4f7c81ad3b2b28734b214bc381d1dc6a4

SHA512
680cb8a4b78e3b3c346550a16ed0ca83fd3bd187a8c0a96353d4d0e44e791430d593acd7ff6c6356148ff94a2b092303deb99f5f26c703ef6dd1c59a3d6f1467

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\product.msi

Filesize
15.4MB

MD5
69f610595dbf0c2ab7ca736cf17f5d21

SHA1
e506509fd597e68c52d7b9fc1d533b515e39e77b

SHA256
15c5945d312280d760a21fc54cf64e175a2790ee58b93f5fa8a7f245d66d2df8

SHA512
10194a759850e8e60401b1036b3651bc739e527d9d292b597187966cb8e907307cb4856ffc73edab93c6de4d190c5886982e6c3daeefb33d35d19782b9c34a95

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\product.msi

Filesize
15.4MB

MD5
69f610595dbf0c2ab7ca736cf17f5d21

SHA1
e506509fd597e68c52d7b9fc1d533b515e39e77b

SHA256
15c5945d312280d760a21fc54cf64e175a2790ee58b93f5fa8a7f245d66d2df8

SHA512
10194a759850e8e60401b1036b3651bc739e527d9d292b597187966cb8e907307cb4856ffc73edab93c6de4d190c5886982e6c3daeefb33d35d19782b9c34a95

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\productbases.cab

Filesize
1.5MB

MD5
3a6e31e5ad5c9395814e145a1406129d

SHA1
6e9ccc7c8a2d01928a3ec90df8ccabb1c1231fce

SHA256
c2cb83aa50fb85706aeb5930b48eb7b9866ced3b0861f2ecc4ed5bfc42c91a21

SHA512
7637300afdc4e79927071a0ad6b92c99670a6bd4dbafe6fa07a96a7c04a9cd4b8de2bbe30eab63a90a1102c6b3a848fbe5cdde716078a9a99bee988342fa9c78

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\startup.bin

Filesize
4.2MB

MD5
68a79129e7b0b0bf1dfa2f2b48a8936f

SHA1
724c86bbf3cf6939511b31359963d5cad2ba5ca6

SHA256
7876ac2677e39905a6dd7804a59ef8fdc65e58352a5721c5056a096fdacaf4ee

SHA512
fad114018ace771c3545716c6e020bc06b19ee7fafc67bec2291449f508fdcbc6959cdf706007c25af6271450258eae53001889e5d7cee506162ed6c10c8f94e

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\startup_m.bin

Filesize
4.2MB

MD5
450882842b7d514243e219da7feac17b

SHA1
4e09252eb4f601e08fbb98d4026800ff889471ce

SHA256
3a899bd9f6e3e30acbeda6987846f688ae65e8f88f4c6e5785302a18fecf9794

SHA512
d60b36aeae780698e733872dcd7624bf9623f7c24e26519838e0dcbbfa818cae6b7fe0a04dc3571976d3e305ad86759609260e058cc1808443d83818d36155ce

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\startup_o.bin

Filesize
4.2MB

MD5
ec30281837d74d39c20ad9c477828137

SHA1
f09e28808bfe7c10b3769258eb2288bf98fc8cab

SHA256
f6fa536cd56566f054a2e7ec3dbad5600d9efa4eb4c08a433d83ef08e4f51cd4

SHA512
c0e7af49a94daae7640e1bf98031ce0c3348e42353f772923e7b5a1617fc56703d22fc26b092047d776cd60a475d9aa9c1aba825afc1a6eec19221ab358a9fed

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\KFA21.14.5.462.0.211.0\x64.cab

Filesize
8.1MB

MD5
ee4ed305d352946c9c3484808a6b2cb2

SHA1
b58c13b879f8fadd0d067bf93ae414f0877132b7

SHA256
95cf56401516a038a67016465ed7e993da863f529df21756aeefc86a737d123e

SHA512
2ac25cbec24d06b43954f8266b8aa9a03f38be530739b40256933ab10059b3606f277612150b80839e52503108dea11b84cca983a4c32c84133a5d233ac601b0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
485b2d9a4de3252345331566c5831016

SHA1
c6090ae9bbe0cf892bd3c501b501d34ddb7a09de

SHA256
2b1c82f31c23162e1e36ee123aec66cc4dff44f08a53601be87aeea5f698644a

SHA512
0e1748891c54658148991e613dcf933e92d76f7064f678ab2c11030f8732d6448646488ddd8d83095b33555e5594fd4318c2e031fee1ece67f42d07b10e08943

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cache2\doomed\15051

Filesize
8KB

MD5
6444d97a7ae755b852f7e9e370bb8630

SHA1
29f6424344b11489315140b0d0e24ab43d5a3740

SHA256
4488551ef76989f6ef533e272a66b6dfdfc3b60cfffb77780ed79902a08d6835

SHA512
7b5ac08390ed1e4e1183a88678c6c0e6d19fb3f48c82b5fe0067ce2dcecb78020701babfe4f0ad2335eac0b5fc962f88c63ed39a22b1b4750d991cc53baa1a30

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cache2\doomed\21458

Filesize
9KB

MD5
e56701f6749d9c6cfabe14f460eaead1

SHA1
8f141186219d3ab38fe26506e6c186096d8701a1

SHA256
a58870082d8d76a1bb2358a90b2adbf60e5e43e225c87f3a73e93f5f8ad6f059

SHA512
7ca4b4d34d746b6be129cc0bcb9385f2aa134b428581d8f36452d07a75696178351b9f5cec6b5b4653a380ca760b64e19c61cc61732df7b2c0fa09316acadcf9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cache2\doomed\23760

Filesize
8KB

MD5
dcc9c3167244a8c1d242074a57f55468

SHA1
6db700d114bb7d5558c5d90ab7ce25962bda2216

SHA256
16a33dd0ad17e984d4b128f18ac38ea40327bb036586e9f8eef921794c58aad0

SHA512
cbb235ad17e815e49c1de3e120018a6c0cc62054df9164d8107bce751f6f0c1e0cff715e671856dedb4c5f88b52f20e925f60c688b11005731f21688bef6f5e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cache2\doomed\27460

Filesize
8KB

MD5
22df47e3328f177385922f9c03d89ee0

SHA1
22b1844b37e7918ad26598225b311a30cd2bf6df

SHA256
48ccbc5833ec668c452e24201c02adda6ba388d17e5611c6d1f4e2e6bfcdddd2

SHA512
008cb4c99e02d8d3997c4f1dfa7d59fae46c8b2ec1e1f368da8bc6e14887a32e207eabbc80b3f0fa01a3577f177dbdc0ab17bd52ac3dbd99b9124bd3e9eb1762

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cache2\doomed\28698

Filesize
7KB

MD5
19a89dbe7d71cafadf10029e158aa0fb

SHA1
13ff30eb726779de6c60bc9343f74f7d02597429

SHA256
6165b5f9ec91ba2c4c3b1d2a064c22ac7929f2491019ed6800e62779418d77a7

SHA512
1370d8189bfbfaae9fa8c08cb558bd12500e13fcd656b8587cf1f018651fde025e5c09d21e9b6d653b6c6f0c38ca89aa56c28e3e3f855f341c97726bd6d74d85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cache2\entries\33A1CF95FD7A802E335775673F03E103D8C3AE9B

Filesize
1.7MB

MD5
980c6b9bd30c3c4858d35ff769ac7172

SHA1
b2e55a252ced5014e9fcb985b6ce84fade3fc569

SHA256
b89c2117b2cd59fb926f345ce9de2edb5caef2eb026dc0e4402d1a6b37deeb9e

SHA512
e335ffc826756a6603cbf32e7af8a719ba6a378e9da28e35c1c8a4b7e8613f554bf8f8ffd13eb263bfeb54d3ade4cda1c416c6cb2a0d29ab8d48fd62a9f5dde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B17DCCB-5AE0-11EE-B403-6E0EE6976593\netcoredistr_6010_x86.z

Filesize
39.2MB

MD5
b961c48637f036598e94b4c4b833403c

SHA1
310f8aefb1085c1628b173f135a5d84b99a179e4

SHA256
c0e90d2719790306273d2f422c31283be19ac2ea40aeaa3d402777b9a5b95546

SHA512
1bfbd68cab477a36b89d5aecf3870313c2e85f2a6cde9dc00ed8d070d07577ae3947910f576cf574af8ab025b27717895d4ca7c0dcb4c15e5d55320cd6c75115

Download Submit
C:\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.interoplayer.dll

Filesize
54KB

MD5
1b04066796d433257699921e5171ef9c

SHA1
0514df44ba945fdf080476d9991c06c78fffef75

SHA256
ba545cf9e14569f8b13e3ec9523a1cb5ea0b9270c173be4051aa88ffd025ba89

SHA512
951108afc0af83bc5c5b3cb282593cb310c756d3999b94d644f16df64d16280815783e1d6d8c102c128527c17c47de385d6527a57b5f162dc48aeb37d117cd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.visuals.dll

Filesize
111KB

MD5
290ad1387d14831c4d2e354ef6278d8b

SHA1
3ba7153ea7cfb8e6b451276b718372133a90289c

SHA256
b1f443629bab7b8dc80175a27f7c456d167598f05ed87d793d852983aa852c02

SHA512
ff533ef12037fd06021660877969f74521bb638cc48401a77b3b5bb0f9ce65dabd4c488c3b631fe21ce76b3213e0cc20add05721db8b667e0f6d5445114cf56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.b2c.dll

Filesize
1.2MB

MD5
ce27ebb2ce3b659322811e5f2bae03e7

SHA1
166c8374d24f9e4c0bc0d91d5a15ea4860551ad7

SHA256
c1c5cdfbdc19f84f35f3a5eeadfc8eb52386c11e74f9edc3349830137c4f297d

SHA512
61dbeda532011f0371b51305acdc5b5b34db84733e55ca3a00bb6e08ab5aca110d18a869b44d4ccbda9cbc45f4f4f823b808884cb265ee4c3c6dca1d057c1ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\setup.dll

Filesize
5.9MB

MD5
8d3d7204d73867d7bf0f1e721b5629e9

SHA1
d3293e98e0b432a00a254b247d72fae8242c3d52

SHA256
57a125fa4d94aa989219892173e491543d95bac1c7ee4340c741240c4d7a5275

SHA512
71f3a051c8223ad1d2a992356d132a4ea79858c16b15771631686574364fdfbb24251e9bf97e0bb551d4bed7664852a6732df5bcb85332e2305745d7659425af

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4C2D649-5ADF-11EE-B403-6E0EE6976593\modernwelcomepage.svg

Filesize
11KB

MD5
22482cdd752aebe20d205b40faff8389

SHA1
9c00d2a3e782cc47afc58c5a558500148d9de393

SHA256
fec9b1118586c459512540bbde7ff1ddcc278f8fa77dbe63e64e91971c7445fb

SHA512
9731e92f2d3c04b6911423ed67b16a255209ddd30231e95e375b6298ec2b0730858e69b3937239bbf328dad2e22653f8b6f97b035e94f5713ab47903fb57fd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\kl-install-2023-09-24-13-43-16_KFA.21.14.5.462.log

Filesize
1KB

MD5
37e882c4d23a4e4d6826ed1cf486d86f

SHA1
e92c0e9d85f5bb698f5ecc3a0ecc53f50560e2cb

SHA256
98aa4b625772460b41eba711027ed355adc5c3866221503b9c44001381a8a0a1

SHA512
c775e6ae959cc614258d7dcd54e34b165cb8be4ed8a8d268c5b06cd4957a6e9a9a4de683d7beff8d29e0b6d18da0d1c20701d468265dad690fbaaf737f7ce965

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46E1.tmp.tmpdb

Filesize
5.0MB

MD5
d02592e9c0612d7237db8a06878cc90f

SHA1
77a351f90c52091fb6b6afc445a647101e282600

SHA256
3a2ce42ae6127d3c13ed1f9903fc80c1a2b38037974edde24b71e40f5857a4fd

SHA512
3745d7678643bd1549b3fbad166b52df180efb0d94a5469daa832383bc013de4cc0eec6022455424420f684ac286c6da80779f19db34d9281fb5517b00ac1cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A7FEEAFC-3E27-40F1-B5DE-1212A2516B85}\msi_common.dll

Filesize
395KB

MD5
49120bf5d6783d2a9d2afe529a344cfc

SHA1
4cb87b2a877fff8fba704c21a0e473c68baf44f0

SHA256
ba9a855bbfb6c3459772c917281e1d34e0946e9a288908b4f84f8a40c6af9809

SHA512
1d425a61f055d345a46097393b390729b9b67a03dbd2474e09014d8cbad5fa1994a5dd4723205f2724344fafbab0aad3e435fe416dc67e2cf6dd820d4d3e6ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\cookies.sqlite

Filesize
512KB

MD5
f05cdef976e0c3a84fd2c091418172d8

SHA1
b98c9bdfebdf93693a290bd088fbc3b24211a987

SHA256
39be4730c0608372efab96e77aff156d7106a1441fcadf677202a7c16fecf09a

SHA512
b88830d45f8dae66673e0c7424194d00c6f6453252f09904a859f9f6b92cc23b8ff150853a701d8ca473cff4f02a69063f8f92dbfd7b9e4f6bdd5ce864a138e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\places.sqlite

Filesize
5.0MB

MD5
d02592e9c0612d7237db8a06878cc90f

SHA1
77a351f90c52091fb6b6afc445a647101e282600

SHA256
3a2ce42ae6127d3c13ed1f9903fc80c1a2b38037974edde24b71e40f5857a4fd

SHA512
3745d7678643bd1549b3fbad166b52df180efb0d94a5469daa832383bc013de4cc0eec6022455424420f684ac286c6da80779f19db34d9281fb5517b00ac1cf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\prefs-1.js

Filesize
6KB

MD5
71b2e216abb94c742ccd4bab14f680ee

SHA1
b7dedf11dd49ec9e9c389253c44bbf53ea852cd2

SHA256
9a0c46f821afd773c648f4b58dd4af1508d7ac522c2e55e19be331140740f119

SHA512
59fcad4609e2f0e4ecfc413bf28a8d9c9834010d07ece733f716dcf9d9281bf6f0acfd7dabaa474b9b4b3e089a5d666e41b75e0c027374b2048cc62a2e7b5b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\prefs-1.js

Filesize
6KB

MD5
4ed4ca459aed7912f7d3533913bb05c9

SHA1
ece73264cae4a9f8d5eef4fee9f5ea4c1f8ef755

SHA256
162f4e7ec7a20440d534eaa241b1d584da664dfa376741c9cda258bee11f96d9

SHA512
8a71609096f1c1f8eb9e294caaa6ac1b360331e7bd92253bd59b4e346172c89da253a42f964793c61231e5ee217844b9b163333a1d5c3e24c210eb2283c25559

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\prefs-1.js

Filesize
6KB

MD5
345999a4c1b535d8fc0c5d3a88a92104

SHA1
2eac5edd768cf5c568c5445d0f99bc8582f69afe

SHA256
78e859a7d306df1a5fd5f58f0652ba16332cab9536e66bae841cac58761367f9

SHA512
5386869b3b52b66a2916425c76f943cceb80665ea59cc0d7e780927ad336d2c301bb18c307f884b12306885a0500f9c7d705994251347b424d5d11f2a3ea01f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\prefs.js

Filesize
6KB

MD5
9793f1b93e48a0fa1852bb710d2122c0

SHA1
4d5d6d1889fc587594825830e1e77e58014cb4d3

SHA256
3017200897a5ba4987af53e46c5215470fb21ebdb2721e8431823f5211888488

SHA512
a8e24439d33bff18b596cb2a23692819a61a80fd7174c954096d2b42d0182b442cc130872195d5a6ebbece433e693b85b8c1212f4eeb947056402cbc97706ed7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a48b99b0b25db0ad0b1c01cb367b0555

SHA1
e92c51c0bfcc815119c66591b6ec9930a8d3064b

SHA256
3180f6f37869478a5dceb7c939a614b5aa4673eb58f591861b71501e62b7afa0

SHA512
e77fe11ee8625f274edc6a5ea5c0aec892098dccaa22269f6ab36fb17dd45f398c49093ca2a3f1b5a2c89176cb3caced0712b54d3701e464dfd00b91125c632c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
c99fad3d8e0832b4771a3723fc2614f0

SHA1
7adf77861b995b60303c6f5e00ac1242919b8c42

SHA256
426d796462f361ce31c5281ce062347e000a513872ae254521b1fdca83bd9028

SHA512
70f148372bf9e1876915bf22efc8041b7ffcff8ae337033eac68f4be6ddb7dd5fd1a55fcbb4165f7ea0ff2de41021e8f76d1939c46adcc06172f665092f4edca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
6896fbd12e5085ccf84b06b5f78eef52

SHA1
ecf0241e4d4f394f425e9191ddea38b092089718

SHA256
bbc3189b463b00b231a50dc9ff2b4b1122027882120f99a1930ad9d1ffb38ee7

SHA512
6abe0cb74feb952c10843c750a4e878fcc60c9a18f940ff12fe98ee6b4b5706066f740966e93ba88c5e1b61926ebb1877d4cd0dce011a6bc10cbc1a9777920b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4tubnn5x.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
de6364a7614e0bf410424b2c264f0d88

SHA1
269990b16fb6315ac434b9ba812e665307c4f73d

SHA256
75f55cdaa7433b27a975ca219b51d67da0001ac1fb077e5e1e84811f0840294e

SHA512
e23326e3ee3af074c1def2047ddf1ca0850f3a64901fc42037452dc518a7b64d37572275b321b3f6564390998e430ac2a34b73bb6f72a427569675de1d26575a

Download Submit
C:\Users\Admin\Downloads\startup.exe

Filesize
4.2MB

MD5
8a30257616ac333a408208405f736097

SHA1
904f656546b997db2b6176dcc91e45ddc548ff50

SHA256
767adf3947100fcafb15fcd35bdd26a8bcde9a8ac45ca88605840f13c3213f5d

SHA512
a419f4a37098c795a7ccee45d66fc34ce58371bb38c64a153c0f229cffc73d2975ab378a6807496bf982bfb0e397d9bea34912ae2c5d275863ab2d68b6285ad8

Download Submit
C:\Users\Admin\Downloads\startup.exe

Filesize
4.2MB

MD5
8a30257616ac333a408208405f736097

SHA1
904f656546b997db2b6176dcc91e45ddc548ff50

SHA256
767adf3947100fcafb15fcd35bdd26a8bcde9a8ac45ca88605840f13c3213f5d

SHA512
a419f4a37098c795a7ccee45d66fc34ce58371bb38c64a153c0f229cffc73d2975ab378a6807496bf982bfb0e397d9bea34912ae2c5d275863ab2d68b6285ad8

Download Submit
C:\Users\Admin\Downloads\startup.g44fqnfs.exe.part

Filesize
20KB

MD5
786caae51754cd3955fe7d1298ccdb98

SHA1
ae25351da0b56deddb3d3d6600e43c18b986ac23

SHA256
5d2d078b7cf859343de2ea2cd31943d087714bbb61ac72a4b4eca8fe2ce1a38d

SHA512
462ffe69840beb6e9efb790644501c56b520b2145c113858bf112d92bcc076a1ea24a7614fc867503850c7438ea0f47d8a6569432f8cfa6763a079a6a689005b

Download Submit
C:\Windows\Installer\MSICDF1.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
C:\Windows\Installer\MSICEFC.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
C:\Windows\Installer\MSICF3B.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
C:\Windows\Installer\MSICF3B.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
C:\Windows\Installer\MSICF9A.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
C:\Windows\Installer\MSID4DB.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
C:\Windows\Installer\MSID624.tmp

Filesize
395KB

MD5
49120bf5d6783d2a9d2afe529a344cfc

SHA1
4cb87b2a877fff8fba704c21a0e473c68baf44f0

SHA256
ba9a855bbfb6c3459772c917281e1d34e0946e9a288908b4f84f8a40c6af9809

SHA512
1d425a61f055d345a46097393b390729b9b67a03dbd2474e09014d8cbad5fa1994a5dd4723205f2724344fafbab0aad3e435fe416dc67e2cf6dd820d4d3e6ac2

Download Submit
C:\Windows\Installer\MSID673.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
C:\Windows\Installer\MSID673.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
C:\Windows\Installer\MSIE00E.tmp

Filesize
826KB

MD5
af9d0c15384108324145a83c24a6536c

SHA1
dfe087822526cd81f36bce735300ba69c0a65331

SHA256
dd791b1c604e629665483232ad2a6a4432d78931d518f6ca571f22195655648e

SHA512
8ed9c4d02bf4aa6df2855916bb020a504dd79dda589b5cd2a79584e4b08c63de028e925728e359f9a0f8f4424235a3619efcb2b05e5eceb8d0618c2423ed67d9

Download Submit
C:\Windows\Temp\A293B84BFDA5EE114B30E6E06E795639\startup.exe

Filesize
4.2MB

MD5
8a30257616ac333a408208405f736097

SHA1
904f656546b997db2b6176dcc91e45ddc548ff50

SHA256
767adf3947100fcafb15fcd35bdd26a8bcde9a8ac45ca88605840f13c3213f5d

SHA512
a419f4a37098c795a7ccee45d66fc34ce58371bb38c64a153c0f229cffc73d2975ab378a6807496bf982bfb0e397d9bea34912ae2c5d275863ab2d68b6285ad8

Download Submit
C:\Windows\temp\A293B84BFDA5EE114B30E6E06E795639\startup.exe

Filesize
4.2MB

MD5
8a30257616ac333a408208405f736097

SHA1
904f656546b997db2b6176dcc91e45ddc548ff50

SHA256
767adf3947100fcafb15fcd35bdd26a8bcde9a8ac45ca88605840f13c3213f5d

SHA512
a419f4a37098c795a7ccee45d66fc34ce58371bb38c64a153c0f229cffc73d2975ab378a6807496bf982bfb0e397d9bea34912ae2c5d275863ab2d68b6285ad8

Download Submit
\Users\Admin\AppData\Local\Temp\4B17DCCC-5AE0-11EE-B403-6E0EE6976593\cbi.dll

Filesize
129KB

MD5
c3e58ebfb907a28cc35df7d3e74bd4b5

SHA1
5ac52d5128b8d1195af29f908779eb4ee5ab3476

SHA256
bf3c75bc4203c71878f4f4313d3fbcb2884b1c94395b8398a62e64e5fb388768

SHA512
db8032030cec0ad2c3141703c1e789f1030ba27271adf767dccdb698c94bf3824fa396c63220c97ecea14f862239d601debd12ec19825c238e1f2c884f138ab8

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.core.dll

Filesize
126KB

MD5
4eed4912f1b75081a4c73654f15c4f9f

SHA1
1d1245a5272f2acb6424b47a6894f614d36bdb87

SHA256
13a47495c38c7a3dcddd162c02649f2e4a8c2eebcf2c77502d7a5087134f9853

SHA512
05c570f3a4735091e8ae1dfb2ea9e4dcd5117940258fb34cfcc11f5442b3b622915e93f640879547b8d042dd5fc4e24deaac9a21a6e0ba9755baa4ffa80c23fd

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.core.dll

Filesize
126KB

MD5
4eed4912f1b75081a4c73654f15c4f9f

SHA1
1d1245a5272f2acb6424b47a6894f614d36bdb87

SHA256
13a47495c38c7a3dcddd162c02649f2e4a8c2eebcf2c77502d7a5087134f9853

SHA512
05c570f3a4735091e8ae1dfb2ea9e4dcd5117940258fb34cfcc11f5442b3b622915e93f640879547b8d042dd5fc4e24deaac9a21a6e0ba9755baa4ffa80c23fd

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.dll

Filesize
269KB

MD5
9d2762eaa4c731568be5ca35485db1d9

SHA1
47c5a412e1910a24ec397cb17c46ca026d47bacb

SHA256
88de26ddc2d370bcf16a09419a432bbedc347c2586e9fefa6ebf29be75319c8e

SHA512
75e579bd49cb9078610fb58b901cfca48bb6e52630670ffb937653d08db02fff9460cd01d5523dafd8d982665a87e9c6ca564fa900ca3d90d5533d05739fd12b

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.dll

Filesize
269KB

MD5
9d2762eaa4c731568be5ca35485db1d9

SHA1
47c5a412e1910a24ec397cb17c46ca026d47bacb

SHA256
88de26ddc2d370bcf16a09419a432bbedc347c2586e9fefa6ebf29be75319c8e

SHA512
75e579bd49cb9078610fb58b901cfca48bb6e52630670ffb937653d08db02fff9460cd01d5523dafd8d982665a87e9c6ca564fa900ca3d90d5533d05739fd12b

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.interoplayer.dll

Filesize
54KB

MD5
1b04066796d433257699921e5171ef9c

SHA1
0514df44ba945fdf080476d9991c06c78fffef75

SHA256
ba545cf9e14569f8b13e3ec9523a1cb5ea0b9270c173be4051aa88ffd025ba89

SHA512
951108afc0af83bc5c5b3cb282593cb310c756d3999b94d644f16df64d16280815783e1d6d8c102c128527c17c47de385d6527a57b5f162dc48aeb37d117cd49

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.interoplayer.dll

Filesize
54KB

MD5
1b04066796d433257699921e5171ef9c

SHA1
0514df44ba945fdf080476d9991c06c78fffef75

SHA256
ba545cf9e14569f8b13e3ec9523a1cb5ea0b9270c173be4051aa88ffd025ba89

SHA512
951108afc0af83bc5c5b3cb282593cb310c756d3999b94d644f16df64d16280815783e1d6d8c102c128527c17c47de385d6527a57b5f162dc48aeb37d117cd49

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.visuals.dll

Filesize
111KB

MD5
290ad1387d14831c4d2e354ef6278d8b

SHA1
3ba7153ea7cfb8e6b451276b718372133a90289c

SHA256
b1f443629bab7b8dc80175a27f7c456d167598f05ed87d793d852983aa852c02

SHA512
ff533ef12037fd06021660877969f74521bb638cc48401a77b3b5bb0f9ce65dabd4c488c3b631fe21ce76b3213e0cc20add05721db8b667e0f6d5445114cf56a

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.visuals.dll

Filesize
111KB

MD5
290ad1387d14831c4d2e354ef6278d8b

SHA1
3ba7153ea7cfb8e6b451276b718372133a90289c

SHA256
b1f443629bab7b8dc80175a27f7c456d167598f05ed87d793d852983aa852c02

SHA512
ff533ef12037fd06021660877969f74521bb638cc48401a77b3b5bb0f9ce65dabd4c488c3b631fe21ce76b3213e0cc20add05721db8b667e0f6d5445114cf56a

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.visuals.dll

Filesize
111KB

MD5
290ad1387d14831c4d2e354ef6278d8b

SHA1
3ba7153ea7cfb8e6b451276b718372133a90289c

SHA256
b1f443629bab7b8dc80175a27f7c456d167598f05ed87d793d852983aa852c02

SHA512
ff533ef12037fd06021660877969f74521bb638cc48401a77b3b5bb0f9ce65dabd4c488c3b631fe21ce76b3213e0cc20add05721db8b667e0f6d5445114cf56a

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.setup.ui.visuals.dll

Filesize
111KB

MD5
290ad1387d14831c4d2e354ef6278d8b

SHA1
3ba7153ea7cfb8e6b451276b718372133a90289c

SHA256
b1f443629bab7b8dc80175a27f7c456d167598f05ed87d793d852983aa852c02

SHA512
ff533ef12037fd06021660877969f74521bb638cc48401a77b3b5bb0f9ce65dabd4c488c3b631fe21ce76b3213e0cc20add05721db8b667e0f6d5445114cf56a

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.dll

Filesize
197KB

MD5
b16d2bfca8427797a7f96bcd3e3b163a

SHA1
8b3f0ad8a067fa084cbe957e499a6fb4c453afd9

SHA256
35f16bdc3f15d9742a407c075722d30e88799600cfa37d99d7e1ebf869e27fdc

SHA512
9a6701ca55564a6f70f3270cf2dcf615dba5dd8020a4c165a986c15d57694f84f96cd750c3ca624c65b48c66b52e5cfa83d0e02c2a78193699775bf327b37e2b

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.dll

Filesize
197KB

MD5
b16d2bfca8427797a7f96bcd3e3b163a

SHA1
8b3f0ad8a067fa084cbe957e499a6fb4c453afd9

SHA256
35f16bdc3f15d9742a407c075722d30e88799600cfa37d99d7e1ebf869e27fdc

SHA512
9a6701ca55564a6f70f3270cf2dcf615dba5dd8020a4c165a986c15d57694f84f96cd750c3ca624c65b48c66b52e5cfa83d0e02c2a78193699775bf327b37e2b

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.localization.dll

Filesize
277KB

MD5
c497bac28c180dc8cf2ff3d03dd914ec

SHA1
a908e8afe99ea62e18a6ed9ba3a4d2293ddb2ea3

SHA256
922d5d2ad940d5a812a7f7a1cf1bd81bc6b972acb3eb6e7afaa24fc597d9ddc6

SHA512
52f60c30b539e05667544b9a6a2e9b4c9617730a00ffd5cb438e5937cb1ea3d1d1a0cfdbe87e74fff767f4a383baa3ad22be109a72e11839576bc2198a06f249

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.localization.dll

Filesize
277KB

MD5
c497bac28c180dc8cf2ff3d03dd914ec

SHA1
a908e8afe99ea62e18a6ed9ba3a4d2293ddb2ea3

SHA256
922d5d2ad940d5a812a7f7a1cf1bd81bc6b972acb3eb6e7afaa24fc597d9ddc6

SHA512
52f60c30b539e05667544b9a6a2e9b4c9617730a00ffd5cb438e5937cb1ea3d1d1a0cfdbe87e74fff767f4a383baa3ad22be109a72e11839576bc2198a06f249

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.b2c.dll

Filesize
1.2MB

MD5
ce27ebb2ce3b659322811e5f2bae03e7

SHA1
166c8374d24f9e4c0bc0d91d5a15ea4860551ad7

SHA256
c1c5cdfbdc19f84f35f3a5eeadfc8eb52386c11e74f9edc3349830137c4f297d

SHA512
61dbeda532011f0371b51305acdc5b5b34db84733e55ca3a00bb6e08ab5aca110d18a869b44d4ccbda9cbc45f4f4f823b808884cb265ee4c3c6dca1d057c1ef3

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.b2c.dll

Filesize
1.2MB

MD5
ce27ebb2ce3b659322811e5f2bae03e7

SHA1
166c8374d24f9e4c0bc0d91d5a15ea4860551ad7

SHA256
c1c5cdfbdc19f84f35f3a5eeadfc8eb52386c11e74f9edc3349830137c4f297d

SHA512
61dbeda532011f0371b51305acdc5b5b34db84733e55ca3a00bb6e08ab5aca110d18a869b44d4ccbda9cbc45f4f4f823b808884cb265ee4c3c6dca1d057c1ef3

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.b2c.dll

Filesize
1.2MB

MD5
ce27ebb2ce3b659322811e5f2bae03e7

SHA1
166c8374d24f9e4c0bc0d91d5a15ea4860551ad7

SHA256
c1c5cdfbdc19f84f35f3a5eeadfc8eb52386c11e74f9edc3349830137c4f297d

SHA512
61dbeda532011f0371b51305acdc5b5b34db84733e55ca3a00bb6e08ab5aca110d18a869b44d4ccbda9cbc45f4f4f823b808884cb265ee4c3c6dca1d057c1ef3

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.b2c.dll

Filesize
1.2MB

MD5
ce27ebb2ce3b659322811e5f2bae03e7

SHA1
166c8374d24f9e4c0bc0d91d5a15ea4860551ad7

SHA256
c1c5cdfbdc19f84f35f3a5eeadfc8eb52386c11e74f9edc3349830137c4f297d

SHA512
61dbeda532011f0371b51305acdc5b5b34db84733e55ca3a00bb6e08ab5aca110d18a869b44d4ccbda9cbc45f4f4f823b808884cb265ee4c3c6dca1d057c1ef3

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.dll

Filesize
1.1MB

MD5
a9f715ae9d15efb5c20e968749bed408

SHA1
c3654cef80aca3dba7d99d373d947ec8a20481ba

SHA256
2f07d489f432d2f553ba6b8c1846c45b9a8c9847e2c1cf81bf352909d1e2746e

SHA512
33ad44d01f5341ed4ffa11502dd62c6f3b5060d88c7cacfe93d8a6d4fc9f80c26b91b2e295b631b4b83714a15870c604c8a9aa4f4bdd0859a16d817c906f3c2f

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\kasperskylab.ui.framework.uikit.dll

Filesize
1.1MB

MD5
a9f715ae9d15efb5c20e968749bed408

SHA1
c3654cef80aca3dba7d99d373d947ec8a20481ba

SHA256
2f07d489f432d2f553ba6b8c1846c45b9a8c9847e2c1cf81bf352909d1e2746e

SHA512
33ad44d01f5341ed4ffa11502dd62c6f3b5060d88c7cacfe93d8a6d4fc9f80c26b91b2e295b631b4b83714a15870c604c8a9aa4f4bdd0859a16d817c906f3c2f

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\setup.dll

Filesize
5.9MB

MD5
8d3d7204d73867d7bf0f1e721b5629e9

SHA1
d3293e98e0b432a00a254b247d72fae8242c3d52

SHA256
57a125fa4d94aa989219892173e491543d95bac1c7ee4340c741240c4d7a5275

SHA512
71f3a051c8223ad1d2a992356d132a4ea79858c16b15771631686574364fdfbb24251e9bf97e0bb551d4bed7664852a6732df5bcb85332e2305745d7659425af

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorconverterswpf.dll

Filesize
135KB

MD5
a16860177631160003651393c827f6b5

SHA1
f83172a0ba17fa82cbc103fb5191e7688d0928ee

SHA256
c5143e6f38230ed7e9a3b0d877bbe31b6fd18e66d8e4295904f6b063461514f2

SHA512
13f101a0d916005f48dd989521c572d55e5e53e9d66d20ad51deae3c2e569925a033c65308a9009647b61d0a3a02ddbaa8f67fdafe56d64ecce6f22fca9872e5

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorconverterswpf.dll

Filesize
135KB

MD5
a16860177631160003651393c827f6b5

SHA1
f83172a0ba17fa82cbc103fb5191e7688d0928ee

SHA256
c5143e6f38230ed7e9a3b0d877bbe31b6fd18e66d8e4295904f6b063461514f2

SHA512
13f101a0d916005f48dd989521c572d55e5e53e9d66d20ad51deae3c2e569925a033c65308a9009647b61d0a3a02ddbaa8f67fdafe56d64ecce6f22fca9872e5

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorcore.dll

Filesize
198KB

MD5
6ff1879d6224baf4efc697c1989b474f

SHA1
0bf453d2c201e252f518db7c16d095eeb3ea17b8

SHA256
feed80fa5f9850ba3fc7a23c1071e35acebc44abb4fe35f93a51b1c95f4b304c

SHA512
0d16eb248afe65ab40f7a38af397df879db84d78246c972bfe89189eb7e4425c193ee350791efba3e156ca11d79784ba06330ed977b41c598573619e603e07f2

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorcore.dll

Filesize
198KB

MD5
6ff1879d6224baf4efc697c1989b474f

SHA1
0bf453d2c201e252f518db7c16d095eeb3ea17b8

SHA256
feed80fa5f9850ba3fc7a23c1071e35acebc44abb4fe35f93a51b1c95f4b304c

SHA512
0d16eb248afe65ab40f7a38af397df879db84d78246c972bfe89189eb7e4425c193ee350791efba3e156ca11d79784ba06330ed977b41c598573619e603e07f2

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorcss.dll

Filesize
106KB

MD5
0a55ecae176cbbbecacf9f009f429ba9

SHA1
3ad22f70e4f0360ca76b236cc8c285a099a68811

SHA256
e5915aae343b795392e3b4e695c89f0a2dadaa24d69f9a423e50d3f0d2d44786

SHA512
c207687d337e309b554231e503b0126d0d49129d8605db7efb60afe08bb7cf0d7585d221f4188d68d467eb3ac5d92a3faf038f905fea8a9d1dbbc2b0ac798286

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorcss.dll

Filesize
106KB

MD5
0a55ecae176cbbbecacf9f009f429ba9

SHA1
3ad22f70e4f0360ca76b236cc8c285a099a68811

SHA256
e5915aae343b795392e3b4e695c89f0a2dadaa24d69f9a423e50d3f0d2d44786

SHA512
c207687d337e309b554231e503b0126d0d49129d8605db7efb60afe08bb7cf0d7585d221f4188d68d467eb3ac5d92a3faf038f905fea8a9d1dbbc2b0ac798286

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectordom.dll

Filesize
52KB

MD5
b0a5181c52bdba8a5c7ba75e4dd0cb75

SHA1
619302666e9a2e7ef111ba1b137f5292cb903f5b

SHA256
9bd3ee71cc3f4426a570de2f2443196a94c3a0a3fce2b55231908194a3c488af

SHA512
25cc968bedacbd0811c558ee85480364666931035083daa5b91d21aa0b207049bae328ecacf79f61678049c281fb1c1e0289a892513b8f20e443627c0b656f86

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectordom.dll

Filesize
52KB

MD5
b0a5181c52bdba8a5c7ba75e4dd0cb75

SHA1
619302666e9a2e7ef111ba1b137f5292cb903f5b

SHA256
9bd3ee71cc3f4426a570de2f2443196a94c3a0a3fce2b55231908194a3c488af

SHA512
25cc968bedacbd0811c558ee85480364666931035083daa5b91d21aa0b207049bae328ecacf79f61678049c281fb1c1e0289a892513b8f20e443627c0b656f86

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectormodel.dll

Filesize
1003KB

MD5
93e4542cc2b69040f64fd7fb797bc2c4

SHA1
3a10dd6885e5516e4a31f0c6d73e8e421c18822d

SHA256
24695c0de9858448e5c32bf9a2f6eb49f5792cb8bf933fcbb6a39bb145b68c84

SHA512
74cc7de7244fafae592b95e569e432f7c91d049f33534d28181452e9bf4aecbbcc55eec41aa437c3a477814216a27f33c7b43e100d1c860011bbb100f590d131

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectormodel.dll

Filesize
1003KB

MD5
93e4542cc2b69040f64fd7fb797bc2c4

SHA1
3a10dd6885e5516e4a31f0c6d73e8e421c18822d

SHA256
24695c0de9858448e5c32bf9a2f6eb49f5792cb8bf933fcbb6a39bb145b68c84

SHA512
74cc7de7244fafae592b95e569e432f7c91d049f33534d28181452e9bf4aecbbcc55eec41aa437c3a477814216a27f33c7b43e100d1c860011bbb100f590d131

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorrenderingwpf.dll

Filesize
200KB

MD5
ebcdc4d364b6d827cb294b3f19afaaef

SHA1
cd7119c2e550a67963c5b5129534532729d56505

SHA256
5a8fe28f53d2c256520a90eaedf0acac6dc16b23b8f679b65fe98ff50a8d62e1

SHA512
fb39344ef8651c3e3ba700868d49c72e1e62f7c8f99bb1fe20355693ba1f1bef547750fb5837adb03c242b12038686bc682fe3903805360e88b2a2f8e0ee24df

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorrenderingwpf.dll

Filesize
200KB

MD5
ebcdc4d364b6d827cb294b3f19afaaef

SHA1
cd7119c2e550a67963c5b5129534532729d56505

SHA256
5a8fe28f53d2c256520a90eaedf0acac6dc16b23b8f679b65fe98ff50a8d62e1

SHA512
fb39344ef8651c3e3ba700868d49c72e1e62f7c8f99bb1fe20355693ba1f1bef547750fb5837adb03c242b12038686bc682fe3903805360e88b2a2f8e0ee24df

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorruntimewpf.dll

Filesize
66KB

MD5
ef03937e84e8ba90c1cfc232794572de

SHA1
a8bd800fa405243dbdd098b6b1866ff0359dcc14

SHA256
947760a34d4cec1da0d0c03fcd2d1b6d6b04bc2d3f20793276a886a123f66377

SHA512
1b8f5892167ce3ecc1c0511fae7534426f774d182b8468f36ef01fb60de031d2ae220524e9dc47c0f5a1a53be4d4be3521e809f11322ab2b9b1d71fb5310f34a

Download Submit
\Users\Admin\AppData\Local\Temp\746D2C4BFDA5EE114B30E6E06E795639\sharpvectorruntimewpf.dll

Filesize
66KB

MD5
ef03937e84e8ba90c1cfc232794572de

SHA1
a8bd800fa405243dbdd098b6b1866ff0359dcc14

SHA256
947760a34d4cec1da0d0c03fcd2d1b6d6b04bc2d3f20793276a886a123f66377

SHA512
1b8f5892167ce3ecc1c0511fae7534426f774d182b8468f36ef01fb60de031d2ae220524e9dc47c0f5a1a53be4d4be3521e809f11322ab2b9b1d71fb5310f34a

Download Submit
\Users\Admin\AppData\Local\Temp\DBB4FDB8-5ADF-11EE-B403-6E0EE6976593\Cleaner\cleanapi.dll

Filesize
3.9MB

MD5
db7d907d62e1494499611e391f2643d8

SHA1
3119526f52b6b9a4931aca2114d48379123d6e45

SHA256
de105a57b3ee95c3ac8c056571e9eeb1f4c7f3269a996b5f61072296bd1655f2

SHA512
f93175647c9b990e6b8f7c416b7a28958a0a547de1dbf7a903eac53aa7edfb740417a5be13928a37d2874a87348942cf56cc7669a99d644674ee8bfe53b1656a

Download Submit
\Windows\Installer\MSICDF1.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
\Windows\Installer\MSICEFC.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
\Windows\Installer\MSICF3B.tmp

Filesize
138KB

MD5
9118bb0271c786eb5d413a9ca7c5dab5

SHA1
e80f1bb7c7e74793c6ef0853898f6adc3ce469d7

SHA256
b9365762972d8768636db40ad27acb115d9e9179b809ea6a0b6efe160a59c7f3

SHA512
5d288aa8e7a333dabddb1f5e79ba157780fe24c54938662e9d5e74c731233c3ebad3defc6e19da0bafb3bd2352fa7bb913cfc49a5df084cf6daffeba77a23da7

Download Submit
\Windows\Installer\MSICF9A.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
\Windows\Installer\MSID4DB.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
\Windows\Installer\MSID624.tmp

Filesize
395KB

MD5
49120bf5d6783d2a9d2afe529a344cfc

SHA1
4cb87b2a877fff8fba704c21a0e473c68baf44f0

SHA256
ba9a855bbfb6c3459772c917281e1d34e0946e9a288908b4f84f8a40c6af9809

SHA512
1d425a61f055d345a46097393b390729b9b67a03dbd2474e09014d8cbad5fa1994a5dd4723205f2724344fafbab0aad3e435fe416dc67e2cf6dd820d4d3e6ac2

Download Submit
\Windows\Installer\MSID673.tmp

Filesize
2.4MB

MD5
17d28af5ef2758a6fd3e236bd54e7382

SHA1
276c316186c31d375d5a2f6873e3304db134d034

SHA256
65ef12f3633bb1798f905ce68d7a9cfb2879d64277697c455bd20182123e91f8

SHA512
94708654503a40fc48a985c1b350533ac4bf7db5816faad1de7c29cab5137b7b5c28943f5ae6d69d08391d87bfa5f6a39fcaa2a71bc27c995186db37d0e221b2

Download Submit
memory/664-4314-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-738-0x0000000009A30000-0x0000000009A4C000-memory.dmp

Filesize
112KB

Download
memory/664-9730-0x000000000E060000-0x000000000E098000-memory.dmp

Filesize
224KB

Download
memory/664-14850-0x0000000072600000-0x0000000072CEE000-memory.dmp

Filesize
6.9MB

Download
memory/664-9650-0x0000000009CE0000-0x0000000009CEE000-memory.dmp

Filesize
56KB

Download
memory/664-9645-0x0000000009CF0000-0x0000000009D0C000-memory.dmp

Filesize
112KB

Download
memory/664-9641-0x000000000A110000-0x000000000A20C000-memory.dmp

Filesize
1008KB

Download
memory/664-9739-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-9740-0x000000000A0D0000-0x000000000A0DA000-memory.dmp

Filesize
40KB

Download
memory/664-571-0x00000000778E0000-0x00000000778F0000-memory.dmp

Filesize
64KB

Download
memory/664-573-0x00000000778E0000-0x00000000778F0000-memory.dmp

Filesize
64KB

Download
memory/664-9637-0x0000000009D10000-0x0000000009D42000-memory.dmp

Filesize
200KB

Download
memory/664-9632-0x0000000009D70000-0x0000000009E02000-memory.dmp

Filesize
584KB

Download
memory/664-574-0x00000000777A2000-0x00000000777A3000-memory.dmp

Filesize
4KB

Download
memory/664-9631-0x0000000009050000-0x0000000009072000-memory.dmp

Filesize
136KB

Download
memory/664-9627-0x0000000009090000-0x00000000090C4000-memory.dmp

Filesize
208KB

Download
memory/664-9733-0x0000000008730000-0x0000000008738000-memory.dmp

Filesize
32KB

Download
memory/664-572-0x00000000778E0000-0x00000000778F0000-memory.dmp

Filesize
64KB

Download
memory/664-9613-0x0000000008850000-0x0000000008860000-memory.dmp

Filesize
64KB

Download
memory/664-5441-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-9743-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-4894-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-9734-0x0000000008790000-0x000000000879E000-memory.dmp

Filesize
56KB

Download
memory/664-4013-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-3457-0x0000000072600000-0x0000000072CEE000-memory.dmp

Filesize
6.9MB

Download
memory/664-769-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-758-0x0000000009B90000-0x0000000009CC2000-memory.dmp

Filesize
1.2MB

Download
memory/664-9685-0x0000000009F40000-0x0000000009F52000-memory.dmp

Filesize
72KB

Download
memory/664-730-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-672-0x00000000092D0000-0x0000000009316000-memory.dmp

Filesize
280KB

Download
memory/664-668-0x0000000009330000-0x000000000944E000-memory.dmp

Filesize
1.1MB

Download
memory/664-664-0x0000000008EF0000-0x0000000008F10000-memory.dmp

Filesize
128KB

Download
memory/664-660-0x0000000008D30000-0x0000000008D62000-memory.dmp

Filesize
200KB

Download
memory/664-629-0x00000000082C0000-0x0000000008304000-memory.dmp

Filesize
272KB

Download
memory/664-625-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-618-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/664-617-0x0000000072600000-0x0000000072CEE000-memory.dmp

Filesize
6.9MB

Download
memory/664-616-0x0000000007D60000-0x0000000007D6E000-memory.dmp

Filesize
56KB

Download
memory/3784-563-0x00000000778D0000-0x00000000778E0000-memory.dmp

Filesize
64KB

Download
memory/3784-562-0x00000000778D0000-0x00000000778E0000-memory.dmp

Filesize
64KB

Download
memory/3784-565-0x00000000777A2000-0x00000000777A3000-memory.dmp

Filesize
4KB

Download
memory/3784-564-0x00000000778D0000-0x00000000778E0000-memory.dmp

Filesize
64KB

Download
memory/4256-9745-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-9900-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-9940-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-9744-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-9823-0x000000000AAA0000-0x000000000AF9E000-memory.dmp

Filesize
5.0MB

Download
memory/4256-9746-0x0000000072600000-0x0000000072CEE000-memory.dmp

Filesize
6.9MB

Download
memory/4256-0-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-9747-0x0000000006B30000-0x0000000006B40000-memory.dmp

Filesize
64KB

Download
memory/4256-5439-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-9942-0x0000000072600000-0x0000000072CEE000-memory.dmp

Filesize
6.9MB

Download
memory/4256-9899-0x0000000009570000-0x00000000095D6000-memory.dmp

Filesize
408KB

Download
memory/4256-2-0x0000000000E20000-0x000000000122A000-memory.dmp

Filesize
4.0MB

Download
memory/4256-1-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/4256-9742-0x00000000777A2000-0x00000000777A3000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads