neshta | 79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1

Analysis

max time kernel
114s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Size

455KB
MD5

77846c820753a9afaf76183b8ef35c10
SHA1

25377e5e4c65ccc48edaa9a8ae3725cde7eaca5c
SHA256

79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1
SHA512

83bd5ce783101c834725e903204a68ef258e9b23fd6249086fce984f4defe15d4e03db33aaa1d13efd3ab6475991073ca4b20da675f9527e4d4649d79c306b1d
SSDEEP

6144:k9RA2zNMPMPwVtiN44zAi5NAOig3TBrCZMszqLi7ksvmacmWnZuPhuGbXA:YA2hESwGRwg3TBPi7BvmZmwZGuyQ

Score

10^/10

neshta discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000600000002023a-15.dat	family_neshta
behavioral2/memory/3336-139-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3336-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3336-839-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3336-893-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
1388	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
4896	Ninite.exe
2744	target.exe
2748	setup.exe
4676	maintenanceservice_installer.exe
1300	maintenanceservice_tmp.exe
1252	default-browser-agent.exe
1952	firefox.exe
996	firefox.exe
2396	firefox.exe
5060	firefox.exe
3320	target.exe

Loads dropped DLL 62 IoCs

pid	Process
2748	setup.exe
2748	setup.exe
2748	setup.exe
2232	regsvr32.exe
2232	regsvr32.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
4676	maintenanceservice_installer.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
1252	default-browser-agent.exe
1252	default-browser-agent.exe
1252	default-browser-agent.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
996	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
5060	firefox.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2744-151-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2744-511-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\removed-files	setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㈳挮浨洀l瑨汭	target.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴瀮杮	target.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup.exe
File created	C:\Program Files\IrfanView\Html\frame.html	target.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳汓摩獥潨⹷硥e	target.exe
File created	C:\Program Files\Mozilla Firefox\mozglue.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	setup.exe
File created	C:\Program Files\IrfanView\i_languages.txt	target.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsbE215.tmp	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup.exe
File opened for modification	C:\Program Files\IrfanView\彩灯楴湯⹳硴tt汤le	target.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Ninite.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭是慲敭栮浴l瑨汭	target.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\wmfclearkey.dll	setup.exe
File created	C:\Program Files\IrfanView\Plugins\Effects.dll	target.exe
File created	C:\Program Files\IrfanView\Plugins\Metadata.dll	target.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\	setup.exe
File created	C:\Program Files\Mozilla Firefox\application.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	maintenanceservice_tmp.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭琯畨扭慮汩⹳瑨汭	target.exe
File opened for modification	C:\Program Files\IrfanView\爣慥浤彥楺彰獵牥⹳硴tel㍟⸲硴t	target.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe	maintenanceservice_installer.exe
File created	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	setup.exe
File opened for modification	C:\Program Files\IrfanView\彩汰杵湩⹳硴tt汤le	target.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll	setup.exe
File opened for modification	C:\Program Files\IrfanView\癩畟楮獮慴汬攮數氀le	target.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	target.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maintenanceservice_installer.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Colors	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Colors	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.emf\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mng\ = "IrfanView MNG File"	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tga\shell	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmv	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmv\shell\open\command	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.bmp	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.iff\shell\open\command	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcd\DefaultIcon	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ico\shell\open\command	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dds\DefaultIcon	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.djvu\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dxf\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mpe\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.b3d\DefaultIcon	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.eps\shell\open\command	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\DefaultIcon	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpg\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm\DefaultIcon	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.raw\shell	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.b3d\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.cr2\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcm\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcx\ = "IrfanView DCX File"	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\shell	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBF8D8ED-B79A-4B72-B82A-09C8928B8A3E}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\notificationserver.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mng\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sff\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.webp\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xbm	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\IconUri = "C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\VisualElements_70.png"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpm\ = "IrfanView JPM File"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpm\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sff\shell\open	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sgi	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sgi\shell\open	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tga\shell\open	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.swf	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.emf\shell\open\command	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ani\shell	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcx\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpm\shell\open	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xbm\DefaultIcon	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xpm\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcm\DefaultIcon	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.g3\shell	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.g3\DefaultIcon	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jp2\shell	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.psp\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.raw	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.sgi\ = "IrfanView SGI File"	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.avi\DefaultIcon	target.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mid\shell	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wav\ = "IrfanView WAV File"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.emf\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ppm\ = "IrfanView PPM File"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rle\ = "IrfanView RLE File"	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tga\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.g3\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	target.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4896	Ninite.exe
4896	Ninite.exe
1300	maintenanceservice_tmp.exe
1300	maintenanceservice_tmp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTcbPrivilege	4896	Ninite.exe
Token: SeCreateTokenPrivilege	4896	Ninite.exe
Token: SeAssignPrimaryTokenPrivilege	4896	Ninite.exe
Token: SeLoadDriverPrivilege	4896	Ninite.exe
Token: SeBackupPrivilege	4896	Ninite.exe
Token: SeRestorePrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeTakeOwnershipPrivilege	4896	Ninite.exe
Token: SeLockMemoryPrivilege	4896	Ninite.exe
Token: SeIncreaseQuotaPrivilege	4896	Ninite.exe
Token: SeMachineAccountPrivilege	4896	Ninite.exe
Token: SeTcbPrivilege	4896	Ninite.exe
Token: SeSecurityPrivilege	4896	Ninite.exe
Token: SeSystemProfilePrivilege	4896	Ninite.exe
Token: SeSystemtimePrivilege	4896	Ninite.exe
Token: SeProfSingleProcessPrivilege	4896	Ninite.exe
Token: SeIncBasePriorityPrivilege	4896	Ninite.exe
Token: SeCreatePagefilePrivilege	4896	Ninite.exe
Token: SeCreatePermanentPrivilege	4896	Ninite.exe
Token: SeShutdownPrivilege	4896	Ninite.exe
Token: SeAuditPrivilege	4896	Ninite.exe
Token: SeSystemEnvironmentPrivilege	4896	Ninite.exe
Token: SeChangeNotifyPrivilege	4896	Ninite.exe
Token: SeRemoteShutdownPrivilege	4896	Ninite.exe
Token: SeUndockPrivilege	4896	Ninite.exe
Token: SeSyncAgentPrivilege	4896	Ninite.exe
Token: SeEnableDelegationPrivilege	4896	Ninite.exe
Token: SeManageVolumePrivilege	4896	Ninite.exe
Token: SeImpersonatePrivilege	4896	Ninite.exe
Token: SeCreateGlobalPrivilege	4896	Ninite.exe
Token: 31	4896	Ninite.exe
Token: 32	4896	Ninite.exe
Token: 33	4896	Ninite.exe
Token: 34	4896	Ninite.exe
Token: 35	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeAssignPrimaryTokenPrivilege	4896	Ninite.exe
Token: SeTcbPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe
Token: SeDebugPrivilege	4896	Ninite.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3320	target.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 1388	3336	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	82
PID 3336 wrote to memory of 1388	3336	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	82
PID 3336 wrote to memory of 1388	3336	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	82
PID 1388 wrote to memory of 4896	1388	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	83
PID 1388 wrote to memory of 4896	1388	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	83
PID 1388 wrote to memory of 4896	1388	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	83
PID 4896 wrote to memory of 2744	4896	Ninite.exe	91
PID 4896 wrote to memory of 2744	4896	Ninite.exe	91
PID 4896 wrote to memory of 2744	4896	Ninite.exe	91
PID 2744 wrote to memory of 2748	2744	target.exe	92
PID 2744 wrote to memory of 2748	2744	target.exe	92
PID 2744 wrote to memory of 2748	2744	target.exe	92
PID 2748 wrote to memory of 2232	2748	setup.exe	93
PID 2748 wrote to memory of 2232	2748	setup.exe	93
PID 2748 wrote to memory of 4676	2748	setup.exe	94
PID 2748 wrote to memory of 4676	2748	setup.exe	94
PID 2748 wrote to memory of 4676	2748	setup.exe	94
PID 4676 wrote to memory of 1300	4676	maintenanceservice_installer.exe	95
PID 4676 wrote to memory of 1300	4676	maintenanceservice_installer.exe	95
PID 2748 wrote to memory of 1252	2748	setup.exe	97
PID 2748 wrote to memory of 1252	2748	setup.exe	97
PID 1252 wrote to memory of 1952	1252	default-browser-agent.exe	98
PID 1252 wrote to memory of 1952	1252	default-browser-agent.exe	98
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 1952 wrote to memory of 996	1952	firefox.exe	99
PID 2748 wrote to memory of 2396	2748	setup.exe	101
PID 2748 wrote to memory of 2396	2748	setup.exe	101
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 2396 wrote to memory of 5060	2396	firefox.exe	102
PID 4896 wrote to memory of 3320	4896	Ninite.exe	104
PID 4896 wrote to memory of 3320	4896	Ninite.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
"C:\Users\Admin\AppData\Local\Temp\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\c30bc27d-c844-11ef-a4b7-deeff298442c\Ninite.exe
    Ninite.exe "8a26f082f8f084d2caa26459c1df61c01bf67897" /fullpath "C:\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\C51F6D~1\target.exe
      "C:\Users\Admin\AppData\Local\Temp\C51F6D~1\target.exe" -ms
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\setup.exe
        
        .\setup.exe -ms
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2232
      - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
      - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Control Panel
        
        PID:996
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Control Panel
        
        PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\C51F6D~2\target.exe
      target.exe /silent /desktop=1 /group=1 /allusers=1
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files\IrfanView\i_view64.exe

Filesize
2.4MB

MD5
3520e434d0ca3f28c9b176c279689a41

SHA1
0e19f6eec247cbe315643d3e4215887e634febdf

SHA256
2c6e7be4d12170503b71bc5ab2ef4d2191d57625190c1f04bdd5694ddfb1c627

SHA512
836a14661ca495622699ca1b9e1af703fa4ffe51fa56e3f10f4200f9dadcb2e54dfca49dca78bec17224ce4a7102c8e16077dda2bb1bfeb02c4c334cc8b36019

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png

Filesize
15KB

MD5
e9068cd977693bdab242de4280dda725

SHA1
35a5c8aee11597ec7cc6adaf15e8673b713d73a9

SHA256
1701ff395543f3ad6b25584fa7014073f74949baca0dd2552216f58131328fef

SHA512
29ebff0f99c9a8f47b8f145ee8d88877b17ae0e3eeed1bc017caa20c68a63166831f5feda768189e837d2390cc80790e3e69aa7ec26bf92da2e90b66e1be3362

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png

Filesize
5KB

MD5
c9ae03c43b67a4e4986518fe3fe29756

SHA1
07221e0401f306487504ae9b3c46ef1cb5dec843

SHA256
adf41380b5ed3f73b8e5fb51f7f33b722f4db4600791cdf92033267c9971c4d5

SHA512
0ace7c3cdc18eb1e67971a5acd0a54e1c00d37ac556f8183dccede984cb6520660c9b27064a8ef5f7b706fdabd70e5e424b7b7271ff751bffd997cf2284f9fe7

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png

Filesize
22KB

MD5
8e058139e0576b4ad8d424bb21071063

SHA1
f584d2412c935aa8a7cf73ecdfaaa6a3cf87c064

SHA256
e86ee493e89f5dfce2ce8817ac5d1c04d8ba2b07a06ff0f967c0167562510df7

SHA512
9ce457aa516fb2d3cb7b4a08f2dd81573de301fefc6ddc877142a35851151407367605f00862fb77067d0969ba745bc6bc612a4440aa3017e508e572ec88f2fc

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png

Filesize
8KB

MD5
1a340e565e697e63b5a4ce51f7297119

SHA1
cdb4ca85700ed81db13b15d4bd5b77d41bb20d34

SHA256
c4bb210e61cd35f9a0a54fb941ea2e3bf6abde799bea1c78d24c761c9a3bc429

SHA512
92478fe26f9ea7454206a3106632534c5608d6940588f01fecfd799de636f11b003ffd1e5c762201f9a14f4ebb7fa6a711d99312b03914de817246a6008c7b35

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
102KB

MD5
ad3df985c3223be30aa8165b2d0e9bf2

SHA1
24857a7bf46c60ab25305760bd0ac7a94e825b03

SHA256
37213ce28ed05190a2ae60ed111ee50e62b6555b67213979d61969a07fecf9b3

SHA512
f3c44b899611cc3f01c12e680ad405ef406431a1efd34d16180e2a014ebb01e262e6ab12222c977dc920437fed795a338e6f45c187e7cdc27cc00f90e2ba5366

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
65KB

MD5
92b6487d23cf4142a3f3e59850e15639

SHA1
50ba6acebb178347a7a460be3e541f803fce641d

SHA256
1aee48e0ee9600f18ce49a84db0ac46e6f50190cdde1b56963dbd6659f5567d8

SHA512
973a2f1d64792f6eb3c0fe132c0334c2a117fa053fc365395da18fdec721e48d036564123f3858ab756ec765357d58f8d10cb0911ef239eccf50d2afbdb64f51

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
167KB

MD5
a586708e13318846139d33b691a31e6b

SHA1
e18235e27dd76242c2bf2cac4038dec0bb8d5a3c

SHA256
850bb07c4439b61abb382856fbcf36533155fa81bac07231cdc04fdbeeee1964

SHA512
fdcec983054cb7ed8ecf670abe8e9236b7719af4e80ce7f7a10045ca07ae84c1cf585172e71840c27fdcc68d09d81b6c83ec4c0b3843dc3565af2e85150975ed

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
10KB

MD5
2d3f9fb8813147797826025e2401f9e5

SHA1
8014de534d87132d3cf3590c227a536ce78e4c79

SHA256
fc102c4cb4c02bc6f8976d28ca2137c7189e09195ff81cb7eb097bc907dce154

SHA512
914d1f14da329ee50e9f20766b43f84d025f8caf2a269c21dcd45b52f8f105121d2cc98790d1dbd4c3cca5a628618afdba60ec898f3fc7a9cff0ac0fea3d5a07

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
448KB

MD5
faef700dfbfa31ebe833627b5dd04d2a

SHA1
a593a9f3851cb3dece608172299634f63e742028

SHA256
ebb9e4d6232eb6451ecf3fcb140bd94b415bec0f4b416fa16ee5695fe2f2151a

SHA512
63ff6ea7e71276676d736d884b0e31ec200e592c77dbf18ac3114959bb77389054a48c1050624f1c8a4e7b4abe74565c7c7716fb463f0a953c25599caeaeb142

Download Submit
C:\Program Files\Mozilla Firefox\browser\omni.ja

Filesize
44.3MB

MD5
54306761f9711d41a3ebd343584fa11e

SHA1
58ecc11e20c3488a5b9640b7929a749190b7c47b

SHA256
3e419cb12ddf1707612dd4eb67efc93346b71399f314f06f0650de0110e1ad0c

SHA512
1178e50ab6ce6cc04a1e85a49bf72bd5f3638971a853eb062814979cc3026f58954d709572e6eb0a66f94275ca26c2ff4dfb810fb9ba1bcb7d49a96823e2b27a

Download Submit
C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini

Filesize
222B

MD5
4b8dc92a079f224935392f9b5a2dc051

SHA1
1027fc1b3e2e8ae78c60bfb25c5c9f87f9b3cae2

SHA256
79d1631316cd79bc5127f745aa6707b4445f7d0432b685ef2c3ec3cf3a62ecba

SHA512
ad0186cfc9df574e4a3c7c209b5dc3078fb86f6b1de0008bdede6768ec08d61b20f371d7b2d01dc50aa7d094b150db816358f03fa0d9135ce26d80d8886a1704

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
914B

MD5
20d488438083a61255f87a692ff80a42

SHA1
8d021d8c3390d7c68f33e2b2222feb1c65ba69e3

SHA256
19100e64ab17c3414d9374132a05fec66e299a09f24199c56c01181b5fe9df28

SHA512
ffb6b8ca01799551d9928c9adc1a8b926f720f72e744d897c89f7d9462dfda1a63f9cc3a88d9f82ca91f6e8a096a097633a5e6d446a442f4c04bb654fe4c4fab

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
1012B

MD5
0a10c7ef2e777646e70b81f9e57f703f

SHA1
1aec5db60c0e34ed1df89376901472451c36bb01

SHA256
01ebc344c23ace7ee3da01543c0bcdf3e261aa741546fe4bc283c57288ee73f3

SHA512
93382de6ede6d0017cbf0ea7ab9f7e34f8ba4e3cb8213916380af5006bd30169d477eb64a45eb4da977da9f1aa637f31b3676c3477ac1912e80d0047bc7b391b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
ba37556cb4c8fbf3cde017bf8ae2abe1

SHA1
9cd74412335f2372bc7a24212d5b20ad418c40ce

SHA256
981fcadb4974dc748fd4dfdd9d0e3895a671fc334ecbcfc31192c9bbc11f37fa

SHA512
368c334fb832b4405c7fc551483f4d0c42844a714d7c0b27676f5179fbad866ffdabdc8806a00cb5a76dfb9d1a45a09b188c1e2b5ec9fee57c890502295eb07d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
202c1cc2a941ce65e6628e4d3d10728a

SHA1
3ef8700d23bb82f2e5a3043350d9fdbe13e005c6

SHA256
9153470df8ea66a9037eb771e8a4bf208fa7eed8ea4148d49121a75c9b960ed1

SHA512
621a92ef02b596130e31e9fbd4929736ca943a56380a26f17a412761d09278ec32dccb534f8112729311cdc74909a42d3969994c75b8c676043e23c0a5f3c9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
90455a34f243e2def574e809cecb65c0

SHA1
a1508a72816b3e74063deed6cb2255547eacc470

SHA256
7d849e06bbc9b3101df1c46e53786de52ffa20b8be2ed7f775537857a4f10542

SHA512
708c6524bb2bff3433da3ae3b5ec4f99e30f8765b1989502e616120b9e941d4880e47a20d0aa301c750e871c4424b44b37344d50b3642b19e1570f945ad6ace8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
72fe46bbd4d8b0780a7172572aa5f96b

SHA1
58dceb7fbc5fd0b9c1ea919b43f347fccbe0ecd6

SHA256
462f6f12bf7493904923ffa88e186d0e3189146dd0b98044e30b05c950b11e10

SHA512
db84159630a026cab1fd9cddd61d5905cb9a2da21bf68af65fd814ce4ce6bda747866fdd915460189a354c6bb05a435d9923698fc9791a8099dd357f44a82c8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
8952d95012410c167ddbfd3cf095584e

SHA1
cd3307e5700939c925a410cf46552d04cded7c39

SHA256
b1a9846cb63f7af6976f8f336522f6d6691b5ddff75b7b638a54f41781276c94

SHA512
e2d90daeca2f9f114d440d9bca34b699318eccf62b1eabc9ba4ff4f3e597ba329538ac1968d32c1429b745c2c616761c76d5b434077676531b49db197359c651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
acffac6301c6633a0b826b1dffb1dc4e

SHA1
1d594008b043ed47d70100afbd22022ff0e3d27f

SHA256
ea52c1647cb8f37caa3702645f15298b38a5829221bea27545baa73f02db2996

SHA512
6e0f1018721438eae53c1b4a4476111f18ec5c90a1b038baaa847dd4a3fc5db42f993ade630ca976defde4c7d6bbed49c544ab332b35fffcc2aef3de0004bb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Filesize
415KB

MD5
9a133ccb5e42ef63514559589158caf9

SHA1
9812c1a3c3a4833157ae4d8af5ca669cf9ef7e3a

SHA256
cc976278eff6862b1d474f7f64cc35335612211b3f685d27a67f59f90d250e28

SHA512
c8ee3bb7e20cd32fd30b7a93d8dcab4e120fe6300e3599a3fcad38e2fc582066e2345894c35035ca557dee4994b0e86265d66a34a1a98a09bf7a9e235825a19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\AccessibleMarshal.dll

Filesize
31KB

MD5
fcdb5689943013c5409885e37cba4737

SHA1
c12ca81adf8343571aceb399d725790d124df88a

SHA256
c26c7cc9a9bfc874e6f1199497f6cde22d587464d80f66b4ff8d84ef47f7d44f

SHA512
3d0c1ffa00909dce56c7d634d1c5ce48490dd9ff689c5dfede984065a79c5f9d942e26e15f35c1060a55810d07a7f3200c305b24cc939b785d0417d92f625ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\application.ini

Filesize
899B

MD5
11e2397659ddb3044a3cb237eaa6999f

SHA1
7b329c1a02d2fe6cf3b75cf60f882ee8b1059512

SHA256
78cde9cdb95936fd4f8b806a79a6d3a66e9b6e1f47a926a6f84923ca37e940a3

SHA512
1f828a729ce528606712c57e4e7801fdccaa5efed982beb6dc422151daf79ab91432f8ca364c395b4649ce9ee13e123d4bb07f286c109d1f269f5217ee8c49d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\crashreporter.exe

Filesize
3.4MB

MD5
4a47088c6ea24e485140b65f8ff3a800

SHA1
e29da6dcd0bfd1021993eec9be0c5a0a25a56fd9

SHA256
7e6a2061238a6b39ee36db89604b2ca2b73e6b5489d10ff1157e39141bb87797

SHA512
992cdb90231276a90170b180d692d17576282965c99e3fc89a480594d7068bfee0e62a4c672126677fef40cceefabb4f5baa990b2d8fb46b92559ce6e7be3fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\default-browser-agent.exe

Filesize
33KB

MD5
957b376311b114608465e157c114d49b

SHA1
941562607f6a05b01ad0c54c669d0b111dea5df5

SHA256
d5c6bd4ad0832e3cbc33842ea3741c2fa62d3eee5d40cbbda075dea50cfe5174

SHA512
e2018b5c8934efb960cb1ea3e72bf6abbe369d8e45131c2422ae5a2807f569a229e3db11e493a4a658d7857c40680c0fb0c75652d32f8c738f212da9808e106a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\dependentlibs.list

Filesize
55B

MD5
a515bc619743c790d426780ed4810105

SHA1
355dab227f0291b2c7f1945478eec7a4248578a0

SHA256
612e53338b53449be39f2e9086e15edc7bb3e7aa56c9d65a9d53b9eb3c3cc77d

SHA512
48ecd83a5eb1557dfabfaf588057e86fb4b7610f6ece119d6d89a38369d1c9426027520ce5b6d1cc79a4783b9f39ac58afb360cc76e05bbe8bbbd5128c5d395b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\firefox.VisualElementsManifest.xml

Filesize
557B

MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\firefox.exe

Filesize
656KB

MD5
cdcc12d740f4ac31844f7753b86abbb9

SHA1
d329ac9e5e93e01427b7bb10d183fa3ab16453c3

SHA256
4f6606e9a79f2c6f75bf34ce1bf54785713fbe077d37a80d4a9c951948628f19

SHA512
3115f65bb88f01ce300bca92b6294639baa349f72bab580e4dbcef55b2aeb276e67946204792908c999c87216ecfcad212bb1da8d0b63f7a263d512bb2218488

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\firefox.exe.sig

Filesize
1KB

MD5
2c78dc46fb8a960a59361f31d4d23c0e

SHA1
e1702f93e0474a270c72afee9a3337ed8805bb3f

SHA256
120c958954beb1df85ab2008837a3f80235abc8535734a0b7f3eeb7fbfc84881

SHA512
7030452026dbfcdd04d32e9f164fdcc73956ce5a1de6e086a4ac5404d54ee36c50d54cc8291874645978ded7c07d5a782b832ac4114f135ef916bc8cb28a3325

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\fonts\TwemojiMozilla.ttf

Filesize
1.4MB

MD5
aac75d901445bc0419d56e56dbc18891

SHA1
3ada434f3a727167ce6dce3b865fa6bfb70ed86f

SHA256
6d90152ee0d29e82fe2a87793af5aa4b7ad13e6538360889e141e81ed299ee8e

SHA512
83fd92ff444ab6de18d48997247f49845abb8420a07b74ebc8a65bda8da69d28f87b6abe0f607b2fd7da398dc0f8cbe7fbf655af6d25785ad8b2f1a3afca136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\freebl3.dll

Filesize
1006KB

MD5
a778f7c0c81ce2cc50606b3a4f38341f

SHA1
2519300e36b067cd1f33643ca080b41ce93acd19

SHA256
fb228c3b23eef48589db407066b9e868500c8a8008ee5927e936ce4035d53c6a

SHA512
dcd5eb8e7f221df5c9857964368a8bb9dfbacd6008c864b780c49f5a38c51226cb13b6e3b40ab8103cb2dad594f65fe5bec28edb9ca3326cc0676774d02d4aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\gkcodecs.dll

Filesize
9.1MB

MD5
f254c7b210119b9598aaa3936c665afc

SHA1
2ee33229143a07db083c4d36fd01c50e728548ec

SHA256
08d93e40822907014308fda870d64bb36f975f30f0736972c82c436b1f469778

SHA512
7490805cbda38f787863565f422ee2cecac39aafad6648848c3f919b50a4dc88c94906995822e0626e40a5513c5c0bc73cc9bb6bb9b485b3a4797560eb76fbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\gmp-clearkey\0.1\clearkey.dll

Filesize
103KB

MD5
9b826e7d081e97859cb1356e7c7281d6

SHA1
7a32d1dadca5315b9ec542ac81d9e50b6b6530f2

SHA256
232173ff106a8ae242af780d6d9f3909a604b7ab32973b6128d340ce070fc128

SHA512
79b9a1348ee2420d768d746be971e6cc055f7b6054b65e2ddd865c90b243db5ec743db0db10f8a23eed9d78bb8403ce6bfaf6f6bb740b73f613360cf72f4000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\gmp-clearkey\0.1\clearkey.dll.sig

Filesize
1KB

MD5
d61d8ca0ae7c1fdcb3e775f20fb92cfc

SHA1
ddb3e2f0e78abc752c625251f39a5f8447449596

SHA256
2929a9898683623175d09e6a2d17d385f5c1b8a434bbc59c6f74802623a55c07

SHA512
a55eb82a7482933f157381638427f198ea1cdfd4f4bc54af55eb985ffbd41b103fd84dd2893a2a4b8d994b04d6faa9601c35f293c7fcf4654768a99d9bf07304

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\gmp-clearkey\0.1\manifest.json

Filesize
229B

MD5
cffdadfaeeaaf0a5a78e7f9a299aa7f1

SHA1
7a8f06d7c91877484301ce8474dfbb1bde08a040

SHA256
ef47e83036753b53f59d079fef62bfedc749abdbcdb0fe16f448d9920f11114c

SHA512
5a11e448389326ddbd3be792d9a10ae746c66e4a41f9c96f4979ec71fde385fc4deb205a40f1b4f24415abd9d41c453ca1285f4b813005b1d12a2701f214db85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\ipcclientcerts.dll

Filesize
207KB

MD5
77139d276522ca4eb8cb7cf1045e4cc3

SHA1
d57380630462043baf422940f85c5a59758f5403

SHA256
9713843b6d89baa4641ca7dd9e79135efab29d49ce6913d645bfbeafce8e35f5

SHA512
7dcd525f067e63025f1fefd0fc20387a74a3e40c11d719f4adb907c77af8a221d40d2141ddbfd585ca2223ddcfaa21db8fa0ba15e83727c90580e8f1dc667804

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\lgpllibs.dll

Filesize
153KB

MD5
401eb7bba880391adbcf7b0afb011c0e

SHA1
f2486d75bf109c7cb282742a9325d85736982390

SHA256
f08d3b747caeea357be4b15d95a8611565ce0a6bf0feae3368500d18eef99aa3

SHA512
68b4164a42b3feead05d8aac5029f1ed90b8b98ce36aabc73759d120864ebc5a4276d934ec8e81cce5b6e0ef2406f803cfce4cc2be2d498092b2b6a67f9a0cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\libEGL.dll

Filesize
47KB

MD5
f5a6241840226aa70ea9c670747401c6

SHA1
50374fcb3b319df3b55a45d8b4992560ba13043d

SHA256
2b9d08662e34f5d5121492d5dead6668feb6f729369a4f9635657b3da845cd5a

SHA512
de6cdf0c9c161acd958346455cbbc300ade1b5ba96ec5dd05817b269a2a08f8ac17578b63b956dda8bf79ba7e1516091587db3bc55a4dcd9a92df4915fad4a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\libGLESv2.dll

Filesize
4.8MB

MD5
bc4e256d3c6115bfaab4d0d953f108b1

SHA1
ea6df86acf060a9a99b1a99ffecfa56afe6ea8ce

SHA256
5abba83a58c838e3e6d28debae466d58d4447aef7a14ad88402f91c3caae6a08

SHA512
031171b2612534ee4c949c68417a1a45b7d8948ecabf887e3bad42730f36271a156f80af8333efbc7dcba33fecd30159cb88c20c3e143146cdf31518b6f83cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\maintenanceservice.exe

Filesize
272KB

MD5
933b72d5ab4d0a2e3e3cf71efecb4546

SHA1
60d20d0b9e7d466bfe72d2c3a57c7029e40ed1f0

SHA256
3a37547504b85862bcb6460dd346eb34473d92e3a159889ba4d9f77f75d22005

SHA512
3db6fac8d5b9d197b0c36542769d8f8903ea76b580e81ec760ae9723dcbc5f1a14bbe908193b148a6154b5cf3737d5fc61b671a66cbef63b9dd789e3bc31da3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\maintenanceservice_installer.exe

Filesize
184KB

MD5
375fa830b43d7eaf2ac453417028b07a

SHA1
c9c3e3748de7157ff2be480511ddb76fa3b9cf60

SHA256
a98f5c087a8c7fffc7e7de8c579d68008f343493e25338767b1f7e4296e62d85

SHA512
0f0b7bcab6695ef5ab3ae105020e0fd7392f6865b1bd64f9296550448db144c4f276b9fbd61ee4f417e7e377cb7b2272d3613310acef311dbca2c6266378a882

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\mozavcodec.dll

Filesize
3.1MB

MD5
b84ed9d10cf0c7496b4d57386e84044a

SHA1
f299b59d3cdc265b21dfc8f796b4ab4e57a4bfc1

SHA256
ec0571b0498df59111b6c2a41000126d754284ef95aee8a537bc90466b023009

SHA512
3b2d19af502b611178e317598fa557e5126e4014c7ede2c1d135ebe7d7f4239be7f04f090ef3f66c2b120af419d30f16fecd597a6a305379d453de8499457f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\mozavutil.dll

Filesize
565KB

MD5
fe90128df7346826131d0a99f5caadc4

SHA1
f4413dc0dfdb5c3100f6eb4d5e421e840d7fced1

SHA256
32563604ea9d4a0a9ac00ca186bad84cd6f42a995dc727ef1c3dc9d905ccd48c

SHA512
916c384e683dc80668d2b3f4ab8d3a1f314060f707054ea5e90d3dcd8d4f0485e722aa1da9a9fba05822df8d1494915781963ef43bf51e8ccdaf25424f41eb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\mozglue.dll

Filesize
1020KB

MD5
5ca2b17b6a5a9d04f5c13e6d1174315f

SHA1
fd2788fb7276c2af782a088a8e87a3539831534f

SHA256
863caf28892f63ec58e6a9aad01e81fe07a550713f796dd2d685c9d21ccaa333

SHA512
3690cf2c7ea447176437bd3fb2f815d9b9af9a50c20eb0a80ab57343c0ab813ed832039af443ddfa385c2a0b779fb92fee4af125a036b25c974a3207f5220d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\mozwer.dll

Filesize
322KB

MD5
4775440d49288b74ca62248c5ddd2688

SHA1
76aa7ec42dacd43d0716548b0f69f60be403cbe8

SHA256
0514472e490a5740f81c2ac139aef021231f8257ae608c6c8cc68b840e66faa4

SHA512
74f53d79716ebecb3974a373e13d850b1c736bcac38a160d83359d1c8012e0c36fc9cbb179359fd8cf0351b663d354b8568bc71d2653fd1bc0694f0020862fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\msvcp140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\nmhproxy.exe

Filesize
564KB

MD5
31c478626c28e7811152d4020e495d95

SHA1
5d83606c1afa3fd344833d5a618d675ef60e398b

SHA256
2a4f1cff9391849d0b3f9fc1d87cd7895357a55f1042f8bf8d039d7633e30c51

SHA512
6fb2a3f5d916d4a9baddaee86df9163cc77379d68119df2b1bd4d8c47388fda20d497c2c7286f1d7d04472adac96a77318dad6d990ce442e8da3d315bb87376e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\notificationserver.dll

Filesize
60KB

MD5
374671ccb4774aef119358e24b42d29c

SHA1
a7fc4b2498c1d6a57f92ccb6e8ed96336263e1a5

SHA256
8fd24766af68ff4b20acfb91cac2ebbcd4ef5d1a2a9be51457b721e47bcb67e4

SHA512
f72f2be4c23ea5782a2e7d34e446e2f2c570e06ddcb68965f246fd7c942566e642956f6dbed168f51bae55456fdf4cf52f17ae8a4598d034a05333e727ef5463

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\nss3.dll

Filesize
2.6MB

MD5
94294f1648e6f0954de3a956732adafe

SHA1
cf0b3928395948f4b9e6f67b5b6f55873399d152

SHA256
9b1b5e5a2a1e78826f8b7d1fe6c3c41365c2f00b72132c83bc03fdff8c797455

SHA512
d54102ab9905d16c30b6f03dd584998ece77dec5f87bfa43dc31f874490499d4546498579b1aced8f201a6d9fbc1c56620cf6d35c41535ef8c79fc6165c5c80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\nssckbi.dll

Filesize
372KB

MD5
57eb39c932219c5d9f4af4b67a0d53b8

SHA1
4e6d7383397ddcb48ec8148c989cad60c7696674

SHA256
633856bfab5401523cffe653fb20f3c78c7462f002ba237e5dcbebbfe9dc36c0

SHA512
53bf7c3fb6d68f62f649bd8469068fd4030f936551fd9f74ac3a25614ae028ea8bdec08c832f5c8c5f5bac81b064d9bfead53e741939c0884062c1f569b3d169

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\omni.ja

Filesize
34.8MB

MD5
591d3e457508161703987e4ba95f3c4e

SHA1
25c64d0a6cfc6bbd97957ba2270bd04e8c15148e

SHA256
e4b7cd847ccda160894dc39b4ed5f527908fef1e6559ae3aae9b6664d002a4b3

SHA512
9f05b7f4d55c2204acd773407c3cf3e0f5bfe28665eef5f34c8e733a5739909f2b45fda585c53f6049ed8e8df608b8fe4ceee115f6465f6fb4ac69b87b1876c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\osclientcerts.dll

Filesize
357KB

MD5
289ee8ce164f1e2f91000a54f70bca17

SHA1
ba8d53656e91a5c71d38bd8a36486f4d56bc6486

SHA256
fe05208558e65192c5df8dd503d7164cb0ddd9bb093a21ceb62aa7c27048281d

SHA512
86f047e3ef2d3f4f723f9646228ef95a100e76ba076474eb1a0a805ab3b507c76f143b8dae6e40db6391983a7f554d9b2082b3a821b98e28b821f52c7ffb3b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\pingsender.exe

Filesize
79KB

MD5
5879f47cd26ed028de23b592b76602f3

SHA1
e90af476632f83446f343b1f0382b01263985534

SHA256
a101093bc59c761293108363a90386b5cf3c2b1ffc555c7ecb474d5ec1db32a7

SHA512
6961b21f012b6fcd9d402d8f473416a6f4a5de4c996ccfc53362e38dd2ecf29f6a0afaff75af36f1ee016bac8735a716e3aa7e5050ac2306f22f8bf752914840

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\platform.ini

Filesize
167B

MD5
284a20353e22d0dd3316bb4cae8c7334

SHA1
280dbbcb965c2f95c0f6001baf9bd38db5d4b9ac

SHA256
885cc3b9d30d445336a9e5eb6f5ccc3d926441298bc9013009d82ac2351bea67

SHA512
e8ed7632f312c44faafd08fc478eb8062edbfba1b1a6e759194fb5cbad5d8db093d8714452b4282f51c565efb367aa6e157b7f1342967a6ab84a366db43952d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\plugin-container.exe

Filesize
138KB

MD5
ef58f72dd4880de7fce9cf63d55b3355

SHA1
e3f07d3eb6dacf17a7b99f365e6b11498d9298a0

SHA256
0a55510ec619f418c0515d7de81f4660aac8ee19cf1fb20961cbc7d7d5ba3191

SHA512
23d31119838cd60d07a25d0fe5be3f7361e9802f95a1c3d98498a795faafc370e4b2a8c61102075f802958841e0ae9c0936946989006f458f46ac57e1df8d0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\plugin-container.exe.sig

Filesize
1KB

MD5
4cc647e7636b41134ee9910ec103b972

SHA1
feaf1d8846ad6187df9854aa0ffccc807cd0d5f7

SHA256
a4196ff32a2db97d4d36c94c36cde23a793aadc34e40675557cb0f317e5e111e

SHA512
fe21118c842e14aaa89a54e907b10a3670b638683fe19c30779ead031376dc76c162763f57b37d07f3a8825b81471f3ab6d820659b6d41ce2c458281fc462c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\precomplete

Filesize
1KB

MD5
e3c727e109f37b98b773632e1f6e2c6f

SHA1
2744e837b34788e2fc60926c78c75b8fc3d289df

SHA256
19aac637437ff577f123edd0c6142db3f383ffb8fbc911f38905312361b52511

SHA512
7d107a3988023db39f78b093a3462ebd77612d3d0d136a48657824b046d77a34775c3a9c23367541a65b5279f358e8f3a5a49cac1324fde1136f021ae63d2b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\private_browsing.VisualElementsManifest.xml

Filesize
559B

MD5
b499ede5c9228c742578086591193efe

SHA1
18e682ec73ed8fcea99893142fa8b08ee8a32b72

SHA256
9ea86a18d41112e25b17454044ac29b458f508d9814700a6f4c0f9370678f3ae

SHA512
b99ef0e9152da3bf6adac5fef67b44738ae7a2d1ef0041786a5700b8389acde7380f1bc9bf1402c7a356f1777aca7c2b05af5ee22b7297bc879fe2e6b9741f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\private_browsing.exe

Filesize
64KB

MD5
b5f242e6303e5e1474e68afce1898afe

SHA1
93ff527599c396e33bd4acf5854188b6afde9b60

SHA256
808b3c732efcedd04342dd4835c9f2883e1d0da8d0eb9f09e103963ff7357490

SHA512
dda0c03ee4288c734bd6ca28b2471d30b76cd6a4dce1c3ece0a0467867639a11ecb7f029251e3869c6410188b00d627d6e9c5027c22dd3246bcf9ab60ec5030c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\removed-files

Filesize
16B

MD5
fefbfac37461bd30e05f5befaa1f7705

SHA1
74f9024662db06184e645cab76bfecb0e6897545

SHA256
52523da24287c4d459131c2e4818a713a732765e06e9bbba1cf353888ba34f9f

SHA512
874d6bdef28dea531c858443810d0b026a3a5667e0b9985bce84b7c5ab63d06a015487bd1da2a914d28af7b6568335b1927f9fb9656715947929cd6671ccc4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\softokn3.dll

Filesize
316KB

MD5
90762d6f71b4d85fa3bcdb8cfb8cab82

SHA1
fb51e9eee8a59e50ed7de4da567c19e330577455

SHA256
c00f6d95a517c97fa363e6f6dea35f3f1c6c9bad7d88931ac1b4173e1a1eea26

SHA512
90e6c8e1f755e1ce73514768b3d094d01c2721ba064211cd6c94cc9bf140bc56a23e5f5878db8fd5dd6ed8379d94fe4d7418029046e06898982d7e8d04c5d3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\uninstall\helper.exe

Filesize
1.3MB

MD5
6aad5728fe7ae00475aa4589111f39c7

SHA1
527f39958305b44697ccb41ac105e2cd4a2730fd

SHA256
45950234f2e59bc50c6a4edd427bdf96df662477eb4b55d57c1f3a628e333e8f

SHA512
4c58396a77834cdcfced75b0201f3c74e8a00d53cb4eafcb9f14db1d32b628e11ba5e858aeee299006df7630e6d1e6ce36203cf18ddeb927594cf82dbe4ce1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\update-settings.ini

Filesize
132B

MD5
1413131f8cfad1e19d299667bf759087

SHA1
a0435cbf1a2817ec960c56a896d455e78adc226d

SHA256
c18489344fdc21ae366b4d957a0b9f11be772483ca46f9ffab6ed0356f946513

SHA512
590b53aff46903b1883c5fb14492ca85db2c6e0e900d0fdf62c3e6da10f1d10c3aa51224dc6db50f4eb12d42de017892f77e91d79aa16fcaefba10b27748748d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\updater.exe

Filesize
454KB

MD5
06545fbb92e5fb20fb11b4444cab1234

SHA1
5d82916b290bc27722cfa529f7483381ce79a48f

SHA256
06f1c5d4ff1f7be5302dfc0cda84a9e2a93ad2bc7a4ebbd901c357ce2b992c89

SHA512
3942e56e135531d9878ad8ddeecd2878ab16da00c9ce494b9d37deedd6f06a48ffccdad3ed2ce2d905859549a045979220c86a184077f64b799d3bdf7a57cf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\updater.ini

Filesize
1KB

MD5
7a6cbd521497f6dd382f7b8c6aaa1eb5

SHA1
a0bccd339f6d045f0aeb4de504398c97c3dc2be0

SHA256
531b55d2224efa181b75ed4ceb84e4f854f26c2382dc411945515d57d8df2243

SHA512
af32b8b1e93c2fc1bb6c7ce0f371c8cedcdcb753393e8cbdf282424935db5f8f04b3468d450edc81ef28d8b4430d8941dacb2d8826d28be9065dc787c53eb553

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\vcruntime140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\wmfclearkey.dll

Filesize
199KB

MD5
974dfd93ef0dbedc398c9f83105b078f

SHA1
714a63e8c74d5559c37af34acb2d746dcdaa2299

SHA256
a2eb5016e2ae6099475cf517c6ce8a87befd6279a71f1c12715d3b3867b55b2b

SHA512
c92cef21df1c1d911bf8c488a90d904ed4e620df5250a9330114f8e6bd83ef0e5f9987247d950bebce38e1f4a6726ea3a2931efb099b3cb01dc4b66186d7097f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\core\xul.dll.sig

Filesize
1KB

MD5
a16d32f52fd7c80c50a5fc8d12321c42

SHA1
9c13f048c92e1dc6d8ae6f7a18f749fd33571a81

SHA256
1bd432458254b2a7b9e50bf4a8819b050e72b602288eab444cd9046e47ec3146

SHA512
da9330f46e409a81842c7b64348c6db1ad512ae568973b6baced21b5a3d183d1b09538945a16d9222d031fab148891ff5ad800d122e6d5bb88d5cc400d155db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA82DE7\setup.exe

Filesize
1014KB

MD5
69a813801fe0cda22d32f7ebf3261882

SHA1
32b909e9fa99bfce406cc2d78e8364ca6977415c

SHA256
5a708edd8d87f612dbae516f2c247b3e86e04eb4dbb8802fb977ef7ef54511b9

SHA512
28436c09b526e07311c31f44c9cd9199d458677dbc582ff3b144fa35fa59ef065cd92b8922fb42d13677d25ad8ec995ee84a083b29e70e418d5821b370cf7173

Download Submit
C:\Users\Admin\AppData\Local\Temp\c30bc27d-c844-11ef-a4b7-deeff298442c\Ninite.exe

Filesize
1.7MB

MD5
aecea03ab75ea848dc8bb0511a3dfd83

SHA1
7c115564fc6502e16f4b29d207c25ec163c2b3e8

SHA256
168c0280421ec2cea8adcf34a22056839f32df0ac3575b08f98001a10ad587c9

SHA512
cdb4055fe937c21ff96d166b413876869508da69f00f3d508b16ce400a625a95aa013d3b1c4a4b25d789b345b3d4b366fecfb42d04b24255e4d18f4b51583fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\AccessControl.dll

Filesize
21KB

MD5
eb7a540d0d2e28f6bf524d2cdbe0f478

SHA1
76204991c60913cffeba5595033c4f79e1e89bd8

SHA256
ef4b548b27a6edab3bcb25cff0598918c645795850d62f232909dee851e04c6d

SHA512
947132d07f7875dc99fbe8a87757f6efee0a8c6271f8a3bac6747f9f4f60ed7e203e28a588db8c55ee898ba8f3dcf640f6562c49c45d6c6d8fdbe2d2309b9984

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\AppAssocReg.dll

Filesize
14KB

MD5
012461cad43cc5a871bb2019a461a2e4

SHA1
75617dce95008117b5b1bd602bbbe58dfda4e6d8

SHA256
eeed86addbf5989fe54e862e68e9a287eeaad11b209c26de67ab660b21445e15

SHA512
f1c42d0703e5c4fafae2fab90a7c23499e8b72f9e04ecc10602d1c48ca08781000cda36af86577b3e2380684ca442db54668f390822f3590b6dca6507e80fa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\ApplicationID.dll

Filesize
55KB

MD5
fdc0338e6faeaf6f7c271982e103473b

SHA1
9a41f7932abe8be7e32c6371f085cf14de355d00

SHA256
a9dad9fdaae93d10dc2ee346b231913445e731049554b8bb1506827e46f8a44e

SHA512
a766eef11db4c94b1445d1cd70cf1d3b6141d6b3973562e9fa8d81c79195886b884dbc9b9f6952f8a6e8619534a6bf2d615d539d2cace9c8843dc19415051cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\ServicesHelper.dll

Filesize
14KB

MD5
b9e8c2212ac8dae4b0eaf97c048529fa

SHA1
331d172323480b0518abdb0cc9e256dc7f46c357

SHA256
d6f6758adac2c073bec481e8de762af3a5574789bce3f43de02356afc9911e0f

SHA512
d93aa032e27c8268a4f6883711cf41f7ee2b5d33673a26d78db24456f2c548af39b7b98ed4b4737245c278d524fffb3e4bf708b6815dc866acd371427ff6be96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\ShellLink.dll

Filesize
14KB

MD5
fa94d120efb029b43217c66bbc8c650c

SHA1
1fcf2d76adf69b403b7400681ac91d50ed20385f

SHA256
5f6f414b412c72b10f49eb92af1d368ede531b58fb200d539fd2b45e371612db

SHA512
07ed0771d5bbb651ea7421a5f6b08fa234f9cc041315d9360a7135ba12180064fc99a27725385a8ecd3ceb25bed5c00de169f7dabb3ccf6e987f45254dff8158

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\components.ini

Filesize
44B

MD5
c9b5d86a9a0f014293b24a0922837564

SHA1
3cc73b4a30a1a0bfdc6812bbd17994f53eb5db2a

SHA256
775c85f3552754ad3794b88c0cb6d6fc43d412cd9a87a4b9e847386a5bd0a9c4

SHA512
790f365afbe4c5a37dbb56443d38f0c439eadca002e4001d373d6db8c1d80c4adacf3749e9d210cd0316381682fbbc46616a3fa36581c7ea6f5ce69119944b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\components.ini

Filesize
610B

MD5
d99af869f79f676872a8999b25e9dd22

SHA1
ff35f7cf1414cdacd7cfcaf79e4030a53be578d1

SHA256
9bcc1706834feed083da8e2d4fde24cb873efeac9c7a876c1b297bd3777dc83e

SHA512
65680e09d81515562e3fb81e89e273ce15dc76272cbddb7a1e47105c61f2b226044c05813aa689f6badb1626551c4f46d82398ef46ecb4a54aa52b1f9d2ca621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\extensions.ini

Filesize
630B

MD5
940e15a3691292c513f015e351f33072

SHA1
0545d9d43b188182988195db8a01fcd3ff43afc4

SHA256
0723b5d0c55354754b2084b712854c39ca089b1d883de067ac3c20935808397d

SHA512
cab225845a6ad929b643f3c6f8e9f1b8d0e7f0b19ca7ddaeb6350c508e9d21294749077ab3d041facca1d41578b2434f0faa37a5bb64f1ab1ddadda0edce4b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\liteFirewallW.dll

Filesize
92KB

MD5
f5a3005a46e051b8d9eb5e2be7802f7e

SHA1
4fae43843bf6210d5d98683b50705824877a7d9a

SHA256
c0a12e651085aa2488796b474a5ca3bc70c22f1fd98ef854049b8d72987e478d

SHA512
4993fcfe6669dd1e3621ca50e35aad750bc6c89838abf94da4303c5a31e958b3d3bc2cf70c268590c8cd5cdbc90f015ffa37cf98548c2b54ea8171b63a3bfa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\nsExec.dll

Filesize
17KB

MD5
0e584c7120bd474c616013c58d51dc6b

SHA1
0bc980892341b52985d92fb3d8fbb6be77951935

SHA256
7fb626aa05bee1095633a75aeb7895ebd816a98e0aa1581a0154e4c196de5391

SHA512
aa3a471b3f33c3ffdbe1b1e3c1e5d04367bcab3c16049396a8dd12c5a8317e4b153761f74f39b756dd4fb1806aedc4f1bb38bfbc12f16480eed3fd3087a0d157

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\nsJSON.dll

Filesize
33KB

MD5
e832077eaee06f3b2ac9a8d2e7264567

SHA1
decbc329257c9c7fb67d3c449b4c5dfc1f87471f

SHA256
705f4947fb94254c4e5084e6a962045f6a4e790dfc1ecf59cd0fc3feb38bcbbf

SHA512
c1bada98c52ee2318d23c48fe202380eb42c5e1f18226cdc017f264c8c34f548bfe4d9b6eef13caae69ba321a71b199431b249fdec65f8bb1c386810932ccf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\options.ini

Filesize
1KB

MD5
f50ac2442dddb1ec2bd0dd5410fcfbb4

SHA1
13a4a1dbd6cad83aa6e5d9043b6d98e1bf4ec371

SHA256
89b31e3fe0c4390d252a686512bacec6f53e3f4da6d1f12bca2866d4ba37d021

SHA512
697bad94809681055d19fb03f8979c79bb948bd01888392a0fff37b30fc87f965e7f716c0c28de6df6746518a5d5c26006e3a313eecbc6f8bdbed25d39d6f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE1C6.tmp\shortcuts.ini

Filesize
874B

MD5
71851e095439dfcac9099254c0881673

SHA1
d31c9dfade1d31b937872dd6a8761c4c117ef588

SHA256
97ef03760837f339242d39927e0f9fa046669ed66b9a413b853ea8b6450ebfc4

SHA512
1025ff9cfed7f064670b43b401f80a2a805354cdd0f3a348c3935e15e08d67d9fb05d028b259a66003403425d842d5f10aa88e9bb57563765cecb91e85ab6c18

Download Submit
C:\Users\Admin\AppData\Roaming\IrfanView\i_view64.ini

Filesize
79B

MD5
f92e1ae28962ce5925a9d459ac6324de

SHA1
6a89d4f0a03ed3fbae7e80fe39b94fc32ae87cdb

SHA256
8558f9e261a7b1b482ba9c258bceceb3cf6e37832d92b875a2a28d1d2b6109d1

SHA512
9d4c02ad819748809205edd7a7b0150a844cd67e4e8152c15c5a0b6a6a2c49d22d07467871c2bebc5f92de03bcaa7d4666c32f5355ce09e10fb4abf776164590

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\yo52wlf7.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
019e9c1a06b3179d6924c1596a5d55b9

SHA1
531de796c93c43f0723a6752ee0baa0e322a62e0

SHA256
47a3b5c21bb71aae6a0e2800ae553e08fb655d86efed402fa5fc10db3f6d789b

SHA512
66f544529b82f27bc9b371a92f9eccd6bdc82c86c0d6d74efa718dfb788c545fa174f493e6f5a7ed3f2f34dadba73551b5a985e54db203f6002c3624b157652e

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
902B

MD5
ad1fdf9b71505595fc4d52486351c86e

SHA1
e9d4519d5335ae6b90abf80a5a4fd5f6f3dbc3cc

SHA256
36f6b3ea2536d0bd3ce86f2e81781a3a4ce816c9c4a14a6f5f54f614d840a90e

SHA512
73f828fab322f116ed6045da0d0f33d2240df6c4eb05d26a0096d4c719d2bc7b60f13aac75bc03809be6e314feef917263a85af16daf2bb790cbd20fcf585a15

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
77311091d9420e0ef1b74e952df9b95c

SHA1
a778b7d60ee0171044c48e72d541ed92304e07d7

SHA256
a8b991d9c5c51eeb6f4cff023d269d17af48e68fbec9624665bf2b5a2c994025

SHA512
d4ebc0bf8bedfd9f0d2bfddd813108783ff99ab30ed1dd24198db0f37cb86f2d7f7c165f21a75f784bc85e1fff72f675c1f599a0a5922ff6fd822f74b06f8708

Download Submit
memory/2744-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2744-511-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3336-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3336-893-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3336-839-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3336-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download