7b3f6ba3d8014a27e5d42a7bfee09fb5ba0320bd07aef90b7c7cf0162568c296

Analysis

max time kernel
66s
max time network
67s
platform
windows7_x64
resource
win7v20201028
submitted
03-03-2021 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

-.exe
Size

278KB
MD5

3f43374d0862425c4894da8a4ea9c7f2
SHA1

7b6fd6ad2a57578b2012108880bf89afd315ea9c
SHA256

5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd
SHA512

e4765241eda5f1eb5d479e8c2c0497a8c59f70b815f864955846d68160aebcf165e15d52751dc7cf99d5ac203f15d493940daf478a2e5346b09f1beddefceec9

Score

8^/10

discovery evasion spyware trojan upx

Malware Config

Signatures

Executes dropped EXE 16 IoCs

Processes:

setup-stub.exedownload.exesetup.exemaintenanceservice_installer.exemaintenanceservice_tmp.exedefault-browser-agent.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.execrashreporter.exeminidump-analyzer.exe

pid	process
1472	setup-stub.exe
812	download.exe
588	setup.exe
1804	maintenanceservice_installer.exe
956	maintenanceservice_tmp.exe
912	default-browser-agent.exe
1044	firefox.exe
1648	firefox.exe
1844	firefox.exe
1624	firefox.exe
1388	firefox.exe
928	firefox.exe
2316	firefox.exe
2596	firefox.exe
2840	crashreporter.exe
2876	minidump-analyzer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe	upx
C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe	upx
C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation firefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

-.exesetup-stub.exedownload.exesetup.exeregsvr32.exeregsvr32.exemaintenanceservice_installer.exedefault-browser-agent.exe

pid	process
324	-.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
1472	setup-stub.exe
812	download.exe
588	setup.exe
588	setup.exe
588	setup.exe
1092	regsvr32.exe
1092	regsvr32.exe
1092	regsvr32.exe
1092	regsvr32.exe
1092	regsvr32.exe
1092	regsvr32.exe
1092	regsvr32.exe
1264	regsvr32.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
1804	maintenanceservice_installer.exe
1804	maintenanceservice_installer.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
588	setup.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe
912	default-browser-agent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exemaintenanceservice_installer.exesetup-stub.exemaintenanceservice_tmp.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\META-INF\cose.manifest	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\mozavutil.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\removed-files	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\freebl3.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\plugin-hang-ui.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\META-INF\cose.sig	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe	maintenanceservice_installer.exe
File created	C:\Program Files (x86)\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\platform.ini	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\xul.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Firefox\install.log	setup-stub.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\defaultagent_localized.ini	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	maintenanceservice_tmp.exe
File opened for modification	C:\Program Files (x86)\nsx5719.tmp\	setup-stub.exe
File created	C:\Program Files (x86)\Mozilla Firefox\default-browser-agent.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\pingsender.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	maintenanceservice_installer.exe
File opened for modification	C:\Program Files (x86)\nsi5708.tmp	setup-stub.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\META-INF\cose.manifest	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe.sig	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\application.ini	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\qipcap.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\META-INF\mozilla.rsa	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	maintenanceservice_installer.exe
File created	C:\Program Files (x86)\Mozilla Firefox\Accessible.tlb	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\vcruntime140.dll	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\META-INF\cose.sig	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files (x86)\Mozilla Firefox\META-INF\mozilla.sf	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\browser\META-INF\mozilla.sf	setup.exe
File created	C:\Program Files (x86)\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exesetup.execrashreporter.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\FriendlyTypeName = "Firefox URL"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Applications	crashreporter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ = "IGeckoBackChannel"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "AsyncIHandlerControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface\ = "{CE30F77E-8847-44F0-A648-A9656BD89C0D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ = "IHandlerControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B\shell\open\command\ = "\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Applications\crashreporter.exe\NoOpenWith = "0"	crashreporter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\shell\open\command	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Applications\crashreporter.exe\IsHostApp = "0"	crashreporter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B\DefaultIcon\ = "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32\ = "C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\ = "Firefox URL"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\EditFlags = "2"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\shell\open\command\ = "\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-E7CF176E110C211B\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-E7CF176E110C211B\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Applications\crashreporter.exe	crashreporter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

setup-stub.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

maintenanceservice_tmp.exefirefox.exe

pid	process
956	maintenanceservice_tmp.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1648 firefox.exe
Token: SeDebugPrivilege 1648 firefox.exe
Token: SeShutdownPrivilege 1648 firefox.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

setup-stub.exefirefox.exe

pid process

1472 setup-stub.exe
1648 firefox.exe
1648 firefox.exe
1648 firefox.exe
1648 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1648 firefox.exe
1648 firefox.exe
1648 firefox.exe

description	pid	process
Token: SeDebugPrivilege	1648	firefox.exe
Token: SeDebugPrivilege	1648	firefox.exe
Token: SeShutdownPrivilege	1648	firefox.exe

pid	process
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

-.exesetup-stub.exedownload.exesetup.exeregsvr32.exeregsvr32.exemaintenanceservice_installer.exe

description	pid	process	target process
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 324 wrote to memory of 1472	324	-.exe	setup-stub.exe
PID 1472 wrote to memory of 812	1472	setup-stub.exe	download.exe
PID 1472 wrote to memory of 812	1472	setup-stub.exe	download.exe
PID 1472 wrote to memory of 812	1472	setup-stub.exe	download.exe
PID 1472 wrote to memory of 812	1472	setup-stub.exe	download.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 812 wrote to memory of 588	812	download.exe	setup.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 564	588	setup.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1092	564	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 588 wrote to memory of 456	588	setup.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1264	456	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 588 wrote to memory of 1804	588	setup.exe	maintenanceservice_installer.exe
PID 1804 wrote to memory of 956	1804	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1804 wrote to memory of 956	1804	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1804 wrote to memory of 956	1804	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1804 wrote to memory of 956	1804	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 588 wrote to memory of 912	588	setup.exe	default-browser-agent.exe
PID 588 wrote to memory of 912	588	setup.exe	default-browser-agent.exe
PID 588 wrote to memory of 912	588	setup.exe	default-browser-agent.exe
PID 588 wrote to memory of 912	588	setup.exe	default-browser-agent.exe
PID 1472 wrote to memory of 1044	1472	setup-stub.exe	firefox.exe
PID 1472 wrote to memory of 1044	1472	setup-stub.exe	firefox.exe
PID 1472 wrote to memory of 1044	1472	setup-stub.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\-.exe
"C:\Users\Admin\AppData\Local\Temp\-.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\7zS4417C444\setup-stub.exe
.\setup-stub.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe
"C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\config.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\7zSC2309994\setup.exe
.\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\config.ini
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll"
5⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:1092

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Mozilla Firefox\AccessibleHandler.dll"
5⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Mozilla Firefox\AccessibleHandler.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:1264

C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
"C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:956

C:\Program Files (x86)\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files (x86)\Mozilla Firefox\default-browser-agent.exe" register-task E7CF176E110C211B
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
3⤵
- Executes dropped EXE
PID:1044

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1648

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.0.533261307\1294184593" -parentBuildID 20210222142601 -prefsHandle 1444 -prefMapHandle 1428 -prefsLen 1 -prefMapSize 228275 -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 1508 gpu
5⤵
- Executes dropped EXE
PID:1844

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.6.1956329536\1365647139" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 1361 -prefMapSize 228275 -parentBuildID 20210222142601 -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 2100 tab
5⤵
- Executes dropped EXE
PID:1624

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.13.655723516\1750839887" -childID 2 -isForBrowser -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 1466 -prefMapSize 228275 -parentBuildID 20210222142601 -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 2272 tab
5⤵
- Executes dropped EXE
PID:1388

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.20.270323246\1624175844" -childID 3 -isForBrowser -prefsHandle 2464 -prefMapHandle 2468 -prefsLen 1467 -prefMapSize 228275 -parentBuildID 20210222142601 -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 2480 tab
5⤵
- Executes dropped EXE
PID:928

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.27.611892505\1986739571" -parentBuildID 20210222142601 -prefsHandle 3060 -prefMapHandle 3056 -prefsLen 2762 -prefMapSize 228275 -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 3076 rdd
5⤵
- Executes dropped EXE
PID:2316

C:\Program Files (x86)\Mozilla Firefox\firefox.exe
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.31.765919398\439653653" -childID 4 -isForBrowser -prefsHandle 2436 -prefMapHandle 2228 -prefsLen 9539 -prefMapSize 228275 -parentBuildID 20210222142601 -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 3512 tab
5⤵
- Executes dropped EXE
PID:2596

C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe
"C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsx6zi0d.default-release-1\minidumps\ab5f25ce-e1ac-446c-9bbf-44aa55c5f4a5.dmp"
5⤵
- Executes dropped EXE
- Modifies registry class
PID:2840

C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe
"C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsx6zi0d.default-release-1\minidumps\ab5f25ce-e1ac-446c-9bbf-44aa55c5f4a5.dmp"
6⤵
- Executes dropped EXE
PID:2876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4417C444\setup-stub.exe
MD5
d6beab92d6f1a47ebc525d9931da9f62

SHA1
b5f39c15127b92065184fb1f77a8fd9613e0eb3f

SHA256
54fa27f858e1b23905ad776330a51cb8c27eaa14c31c767d18a104f521f25461

SHA512
b331a90c2431dc13e60baf948979b7b155f2b95d64d6101eb0de02d3e79cb53271da406afc7ca7d4f3f8dfa4f62e2f965e2a6b715e4fdb3786d268041f0f1811

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4417C444\setup-stub.exe
MD5
d6beab92d6f1a47ebc525d9931da9f62

SHA1
b5f39c15127b92065184fb1f77a8fd9613e0eb3f

SHA256
54fa27f858e1b23905ad776330a51cb8c27eaa14c31c767d18a104f521f25461

SHA512
b331a90c2431dc13e60baf948979b7b155f2b95d64d6101eb0de02d3e79cb53271da406afc7ca7d4f3f8dfa4f62e2f965e2a6b715e4fdb3786d268041f0f1811

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\Accessible.tlb
MD5
e49aeb412aab7c49a27e6feaa0ca40ce

SHA1
6a2f6ea9facc48a3f736e03fda2c1ce44b744af3

SHA256
754fd922f8c93b66f723c30d39083a6a1fe33fa4b6439d55ad2459be40c3151e

SHA512
8c3f957d032fa8edb523cd3f473a57e2cc020c9e6e33aea183cad8b435777660f4c7e87ba62c67bbb1aef726d109f0f34b2d86c159ca9bd98bfad43c89af7ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\AccessibleHandler.dll
MD5
665df88d8df046a16c668357ad2a2343

SHA1
f162b451a835338046612de0d8943963c663457e

SHA256
5dbe1d264c1a10374e285a9f139706197453827015c6d945851e96fcab43caa4

SHA512
0ead7e7819cea4cd5f55b7faa8db6e69493a968a8532e1f51c02dd4388617be6ff9fbcaf8724c137caea986660f94377bf17a15b55e0bac6057cd327e21a7512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\AccessibleMarshal.dll
MD5
07b80d135d0bfb6df974d725df431001

SHA1
0b9b46dcd230ba3e31e33a1f4c9388954d21a427

SHA256
0f8774858afcdc2dc508d3cb7ba48a6d099209001ac0c3fe024eb4518423f8a5

SHA512
fa18976b3e749c5639815dc7d2ac0d57de0eb411a99c0acf5223c8b121bcf942ea8ea6936b0313d27b4fc769fad949a0faf4b3b4bd282ca4d98194df455d25d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\IA2Marshal.dll
MD5
05efa7d83e2ac99b22ec8d25031f28e7

SHA1
378453e7f8db7a4f3f5fbe8ee544631baf9bba9b

SHA256
c59afa5d3f52161258fd117d8c471e0947270dab1fd38f468c213e01160bfe78

SHA512
977d691e183b59706db3d0a343a8088904b13d889d0ee3d905adfeed9c3c9e0c9a22762221ace5bf25d023df4fc8268545b934f37d08e8d3b529082761bf112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-core-file-l1-2-0.dll
MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-core-file-l2-1-0.dll
MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-core-localization-l1-2-0.dll
MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-core-processthreads-l1-1-1.dll
MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-core-synch-l1-2-0.dll
MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-core-timezone-l1-1-0.dll
MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-conio-l1-1-0.dll
MD5
a668c5ee307457729203ae00edebb6b3

SHA1
2114d84cf3ec576785ebbe6b2184b0d634b86d71

SHA256
a95b1af74623d6d5d892760166b9bfac8926929571301921f1e62458e6d1a503

SHA512
73dc1a1c2ceb98ca6d9ddc7611fc44753184be00cfba07c4947d675f0b154a09e6013e1ef54ac7576e661fc51b4bc54fdd96a0c046ab4ee58282e711b1854730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-convert-l1-1-0.dll
MD5
9ddea3cc96e0fdd3443cc60d649931b3

SHA1
af3cb7036318a8427f20b8561079e279119dca0e

SHA256
b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5

SHA512
1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-environment-l1-1-0.dll
MD5
39325e5f023eb564c87d30f7e06dff23

SHA1
03dd79a7fbe3de1a29359b94ba2d554776bdd3fe

SHA256
56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a

SHA512
087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-filesystem-l1-1-0.dll
MD5
228c6bbe1bce84315e4927392a3baee5

SHA1
ba274aa567ad1ec663a2f9284af2e3cb232698fb

SHA256
ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065

SHA512
37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-heap-l1-1-0.dll
MD5
1776a2b85378b27825cf5e5a3a132d9a

SHA1
626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df

SHA256
675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee

SHA512
541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-locale-l1-1-0.dll
MD5
034379bcea45eb99db8cdfeacbc5e281

SHA1
bbf93d82e7e306e827efeb9612e8eab2b760e2b7

SHA256
8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65

SHA512
7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-math-l1-1-0.dll
MD5
8da414c3524a869e5679c0678d1640c1

SHA1
60cf28792c68e9894878c31b323e68feb4676865

SHA256
39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672

SHA512
6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-multibyte-l1-1-0.dll
MD5
19d7f2d6424c98c45702489a375d9e17

SHA1
310bc4ed49492383e7c669ac9145bda2956c7564

SHA256
a6b83b764555d517216e0e34c4945f7a7501c1b7a25308d8f85551fe353f9c15

SHA512
01c09edef90c60c9e6cdabff918f15afc9b728d6671947898ce8848e3d102f300f3fb4246af0ac9c6f57b3b85b24832d7b40452358636125b61eb89567d3b17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-private-l1-1-0.dll
MD5
3d139f57ed79d2c788e422ca26950446

SHA1
788e4fb5d1f46b0f1802761d0ae3addb8611c238

SHA256
dc25a882ac454a0071e4815b0e939dc161ba73b5c207b84afd96203c343b99c7

SHA512
12ed9216f44aa5f245c707fe39aed08dc18ea675f5a707098f1a1da42b348a649846bc919fd318de7954ea9097c01f22be76a5d85d664ef030381e7759840765

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-process-l1-1-0.dll
MD5
9d3d6f938c8672a12aea03f85d5330de

SHA1
6a7d6e84527eaf54d6f78dd1a5f20503e766a66c

SHA256
707c9a384440d0b2d067fc0335273f8851b02c3114842e17df9c54127910d7fb

SHA512
0e1681b16cd9af116bcc5c6b4284c1203b33febb197d1d4ab8a649962c0e807af9258bde91c86727910624196948e976741411843dd841616337ea93a27de7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-runtime-l1-1-0.dll
MD5
fb0ca6cbfff46be87ad729a1c4fde138

SHA1
2c302d1c535d5c40f31c3a75393118b40e1b2af9

SHA256
1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df

SHA512
99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-stdio-l1-1-0.dll
MD5
d5166ab3034f0e1aa679bfa1907e5844

SHA1
851dd640cb34177c43b5f47b218a686c09fa6b4c

SHA256
7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5

SHA512
8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-string-l1-1-0.dll
MD5
ad99c2362f64cde7756b16f9a016a60f

SHA1
07c9a78ee658bfa81db61dab039cffc9145cc6cb

SHA256
73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa

SHA512
9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-time-l1-1-0.dll
MD5
9b79fda359a269c63dcac69b2c81caa4

SHA1
a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb

SHA256
4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138

SHA512
e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\api-ms-win-crt-utility-l1-1-0.dll
MD5
70e9104e743069b573ca12a3cd87ec33

SHA1
4290755b6a49212b2e969200e7a088d1713b84a2

SHA256
7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95

SHA512
e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\application.ini
MD5
774e88506f91b463adfcce812141cd82

SHA1
90cf656f26659a0f163620733579a3c22f11c321

SHA256
54f459f3006421821de208f2518ab9a156b4c491ef239c02333d37acb3ef3f83

SHA512
ab2577c54426b677e440f4c795096165ee97fe18e9ca5367012996e9f38f389b8af0876bd3162bd2ca474c9833b8258cbc85481a7ec04068215358541169fb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\breakpadinjector.dll
MD5
79862a36074397c885c9fe340692073a

SHA1
5f4f0f917fb3c1fed443860a649b32b64128011b

SHA256
3dc9658ce82c8903805d9ae53456ebf52dead511262fc3d275767ef3929ffc2c

SHA512
c1100f6ddd47f89257a97d9702fd3a085f8689e559fd4fe714048fe63fce14804d58c3439040cb48918e7606103492f77602e61e21cae488438363dc9e7f2ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\crashreporter.exe
MD5
b9cc680956090951c1ef3c5dabcbab17

SHA1
93e767f21c5f1acae6ef7d0e085a4eefbd744300

SHA256
f95d34f8a363655b8ffe16acbae05e0cd24bc480c997743b23438875ca2063b1

SHA512
85dfa0d26c88fbfe5257621026ecfe20e313a910dadf104f96a83f5159a73387799e609f28aaf0047120fd0814c1db8f72a1b31d8791f6106ba764bab67022f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\crashreporter.ini
MD5
73a29bbd8d7c4e613beffe1ea8cd4af8

SHA1
f1a2cba979540fc64ee4ae44515a44aaf973f62c

SHA256
7702955b5033ed84ac044db8db54eab5d725357fe5000033ed3a68a4e6e7526e

SHA512
713b42828771d497e8e8dca903b71718f90718a815ba60ffd3a4fb238e5b28a859d09c660c615c055f21f62e842bfe3eb677ef4c43ef1e19642091ece914f5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\d3dcompiler_47.dll
MD5
587a415cd5ac2069813adef5f7685021

SHA1
ca0e2fe1922b3cdc9e96e636a73e5c85a838e863

SHA256
2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851

SHA512
0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\default-browser-agent.exe
MD5
573503e55f05cbf86847c23c79a61f48

SHA1
8a80d45f48872e460db74872528ea61324eb1197

SHA256
10f078c8415d460807c65942c095934b92548ed14da978b337f455a619e37df6

SHA512
58038653de7f09de521fbbee70776ff9dad046d5d51de24383c6d965beb583ae6f70b43664f72edea809d641c721f85e339577187b0859d5cebeae75dbecd367

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\defaultagent.ini
MD5
88d7d32ad20bf89bb7785bd07c638e17

SHA1
2bd40f0b69c2edc64ab6b7e6dd2e7ca6a6fea6f6

SHA256
5cf0660a8f2624433c8c1022f93ff3c94c5611ccbc93118ee053566590eb53f4

SHA512
7bb3328ce42e7bb546a2192ade1e8e153408912f3582c27dc0c5cbe1c2d807365aaf4206c3ceab6cb3d6c34d3155125cb7509dbf800ecf70ab35f8a64f764010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\defaultagent_localized.ini
MD5
d32ae533557d581be652a47395c83821

SHA1
28894ab7148ec5d215e28686837b93d8e625d13d

SHA256
edd87b0122ad61642dcd07c7119574daf43d33d4b5a3b0a03b4e227720bd1036

SHA512
7fed0d80914358d4877b3a80c04c50a16f7ea4b6fda7f9b5aca1742bcabcda91bbacad944e8109192c73d2d2c21ebfa75eaa92c3805e921a6cd7edf87138b036

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\dependentlibs.list
MD5
c35d2da6df0f7abb4d0bd534c5d5b6b0

SHA1
a4da4ca15d97746796412c2bad3fc8fbea716869

SHA256
ce638d544efe50176888e17bfbf78f118dc733ce5c2fee2eb66436ba96341345

SHA512
d27f58fb344b2303db2f4a48a153c9f11eec1663020ba8b5b973fd001c4a8c27c11e29a54b6d1913888b4ddf376aa7f45c8218378abe39a64ebdae4feb6b25cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\firefox.VisualElementsManifest.xml
MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\firefox.exe
MD5
59864f84cfa4e6e3c8c3d4780139b094

SHA1
3a4044ed0b40ebc49bb43fa0db5ddfdc61ee2513

SHA256
030aee8acceaa31566d714ab2f090776e36340ae06a14725461a493c4cc68cff

SHA512
015fb30f59c6df60082080743475391049c4b5a1d1aa0192f3b4e131039f97ca94fd88614c9aec74af705010667c97308ce84e6bfc01bf60829e64fa6266b16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\firefox.exe.sig
MD5
343a725264f3b785db113d673bf08ba3

SHA1
66f67fa035e2ce82e235e7453982c5923292b064

SHA256
b55bdd17f176e6f6ada4a82bc431f09cbd336baa8855c4261316ed453bfc821d

SHA512
4c09d9b9d45b34b8f1be70a1d15d0807177f999d19756a82cbd75ce094865bfafb19db31219a738e2465ee678bdb0438d06c4d6e3bf9cfc2914fa8239f9de2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\freebl3.dll
MD5
0ac9e11dcacb32e58b78dc600e975306

SHA1
84225122f2d65de7320c2fe5533df4b3533a8f77

SHA256
ebf4f0501ff3f80de26bf27b909ea84979bde9713081e4281a1f0e5b4e6ce854

SHA512
cb3f70e637a30f5fbd59896ebf0ee992ba7597792420c1b0aa969e59cb3830ad38578b8d7d37d06177725d7a3f2be4088ec531bbfa2f57f9e3cba3f78d7ec52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\lgpllibs.dll
MD5
e6b6214cd88b6fc2c0a587275b53e1fc

SHA1
1ec046810f467bcc525787a7e6771682bb667b76

SHA256
8917c658669e8b0df3c1694391274bbb9ebb957f13556c9d5ce14ad11179d0a5

SHA512
37d6c0ceadcbb0b712ff8106fa75535d419ec0f290a2458b49b4206084b3927e37b50c44e4045443c6c1876e87d559adae5d3595850c7ac7fcdbc56e051db407

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\libEGL.dll
MD5
5ee9761443d829e189eed45b057ef0fe

SHA1
b0e24495bb97777faaf204d9b21718139f680873

SHA256
207be37bdf8769abf03bfb2e5d36029dc9feeb31bd4f066f34af4c9ba8e792ff

SHA512
98828154a65dc540a51c3e67b3a3be544bf35621588e818b9f33c18e83bef55036c9402e133f55c9bff5145ef88b761c2e4e125f1b86928cfbb3dc1987ad223e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\libGLESv2.dll
MD5
f723aa0071330b0bb838e27b14973f25

SHA1
0b1a31aa31375d396a65abf973a3c1bfc5f9af2a

SHA256
f7d95117469ac1088f37bc903f3b3ef58530c9ede48496b5b5b9434fe0338fa3

SHA512
adb4e639769a213c5329f5de4cd460db0593b0c6647e3e5f9a92f43d9c864882fff73f6592b3dd930f526e2a659e1e2816ad6778dc59531519ffece99ff83585

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\locale.ini
MD5
805452256c940cc968999591eaff91e3

SHA1
d0f280665d05cd5cb8cc0911fd1af6382a4418c1

SHA256
d20e9ac1e8f4f5ec827cb2332d39fd0d286d7e1987bc0ffa5567f709347c23f4

SHA512
70ef08a3968a7d6295d7309706827414274cc601e3ac726b58d4547e363da746a0907c25e8fb41a01448bb7f779a8faa5c17c15350d1caa41f71a5138c9043a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\maintenanceservice.exe
MD5
df6d35a78db83d41cbd467a0f5e72c99

SHA1
019e5358d1936355c272c82184b008fe763c31c3

SHA256
c62602f9c91313819d3880535112d9599cc3bb72dfa4c49be1b63e33ee87b7cf

SHA512
65dc17026099e34ff15d0efe798ee313963e66b00e4773d2f21ab3e1b50b909666778158dd68f528ddbf0583c2a18c6bf3be9db3811fc7119e406537eafaf1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\core\maintenanceservice_installer.exe
MD5
91172d81e05b59fa9362f505dc32b0ed

SHA1
35047d3a58d989dd4a68da7a9758961e5d24e4d1

SHA256
7e4e0860113e67a9f65cb127ccc20139ef41edb3949f42cf262da8d096313e89

SHA512
6d48b7827c1964d33e72a79182f3576cb39055ff88dfbed6997a1ba73a838053ede6f9c337b69d5f58b2c4a35b311b108f364b171629ae3f594ae5191fca9c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\setup.exe
MD5
3282cbc8d6cc33818be70c13ca15c2d6

SHA1
a2612b726fa65b1d53889f15c48f0a8787d1ed79

SHA256
f85ec85eabb0f59046fdfb553f1eefa578c8a2ecffed6fd1b94c39dba1c5f314

SHA512
2834f27de0e5f03eb05ea701097fa75830dfd7b7da8478bcd4d47e01f2b36964297099ef4a49437b7331d8ee516542c7501031533f7f95f111328e63c2464b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2309994\setup.exe
MD5
3282cbc8d6cc33818be70c13ca15c2d6

SHA1
a2612b726fa65b1d53889f15c48f0a8787d1ed79

SHA256
f85ec85eabb0f59046fdfb553f1eefa578c8a2ecffed6fd1b94c39dba1c5f314

SHA512
2834f27de0e5f03eb05ea701097fa75830dfd7b7da8478bcd4d47e01f2b36964297099ef4a49437b7331d8ee516542c7501031533f7f95f111328e63c2464b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\config.ini
MD5
808a01989d75798a86c69d493e5601db

SHA1
0fe14c6c154c57b94dd222a33826f90ccb901d25

SHA256
cb98c1a86a1362906757a0e36383f21ab1362f34c35c94295a95ee01ed7bcc9b

SHA512
b51eb9f04e64fb0f29938f16406478cb5d873692c7ac8ba4dcad77e31c7337998cef07943e454f039f704de22e72f6ea387c5e2dc2c6ef4f6a45f93a47897b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe
MD5
9e47586cf1376a9c88518190e083c3f4

SHA1
a591330b84ace7b5e5afa100ffa64026f8adca69

SHA256
5da5b16d5d513f1d217f570dc710b585c639b45937887f3e98b7b2088b4778a7

SHA512
7ba5706d261f66c150aca3cafc38a6287de6253c15e8fc8a0b78e1eb3f4b506bb2021114ef0af2f2b4f7f8de980048610be1941218ce664531c8b2c08b1a2dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe
MD5
9e47586cf1376a9c88518190e083c3f4

SHA1
a591330b84ace7b5e5afa100ffa64026f8adca69

SHA256
5da5b16d5d513f1d217f570dc710b585c639b45937887f3e98b7b2088b4778a7

SHA512
7ba5706d261f66c150aca3cafc38a6287de6253c15e8fc8a0b78e1eb3f4b506bb2021114ef0af2f2b4f7f8de980048610be1941218ce664531c8b2c08b1a2dcd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4417C444\setup-stub.exe
MD5
d6beab92d6f1a47ebc525d9931da9f62

SHA1
b5f39c15127b92065184fb1f77a8fd9613e0eb3f

SHA256
54fa27f858e1b23905ad776330a51cb8c27eaa14c31c767d18a104f521f25461

SHA512
b331a90c2431dc13e60baf948979b7b155f2b95d64d6101eb0de02d3e79cb53271da406afc7ca7d4f3f8dfa4f62e2f965e2a6b715e4fdb3786d268041f0f1811

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC2309994\setup.exe
MD5
3282cbc8d6cc33818be70c13ca15c2d6

SHA1
a2612b726fa65b1d53889f15c48f0a8787d1ed79

SHA256
f85ec85eabb0f59046fdfb553f1eefa578c8a2ecffed6fd1b94c39dba1c5f314

SHA512
2834f27de0e5f03eb05ea701097fa75830dfd7b7da8478bcd4d47e01f2b36964297099ef4a49437b7331d8ee516542c7501031533f7f95f111328e63c2464b28

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\CertCheck.dll
MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\InetBgDL.dll
MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\download.exe
MD5
9e47586cf1376a9c88518190e083c3f4

SHA1
a591330b84ace7b5e5afa100ffa64026f8adca69

SHA256
5da5b16d5d513f1d217f570dc710b585c639b45937887f3e98b7b2088b4778a7

SHA512
7ba5706d261f66c150aca3cafc38a6287de6253c15e8fc8a0b78e1eb3f4b506bb2021114ef0af2f2b4f7f8de980048610be1941218ce664531c8b2c08b1a2dcd

Download Submit
\Users\Admin\AppData\Local\Temp\nsi56B9.tmp\nsDialogs.dll
MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
\Users\Admin\AppData\Local\Temp\nsxBF98.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsxBF98.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
memory/456-84-0x0000000000000000-mapping.dmp

Download
memory/564-81-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

Filesize
8KB

Download
memory/564-80-0x0000000000000000-mapping.dmp

Download
memory/588-29-0x0000000000000000-mapping.dmp

Download
memory/812-25-0x0000000000000000-mapping.dmp

Download
memory/912-92-0x0000000000000000-mapping.dmp

Download
memory/928-108-0x0000000000000000-mapping.dmp

Download
memory/956-90-0x0000000000000000-mapping.dmp

Download
memory/1044-95-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1044-94-0x0000000000000000-mapping.dmp

Download
memory/1092-82-0x0000000000000000-mapping.dmp

Download
memory/1264-86-0x0000000000000000-mapping.dmp

Download
memory/1388-105-0x0000000000000000-mapping.dmp

Download
memory/1472-5-0x00000000766C1000-0x00000000766C3000-memory.dmp

Filesize
8KB

Download
memory/1472-3-0x0000000000000000-mapping.dmp

Download
memory/1624-102-0x0000000000000000-mapping.dmp

Download
memory/1648-118-0x000000006C702000-0x000000006C716000-memory.dmp

Filesize
80KB

Download
memory/1648-96-0x0000000000000000-mapping.dmp

Download
memory/1648-119-0x000000000CE80000-0x000000000CE8A000-memory.dmp

Filesize
40KB

Download
memory/1804-88-0x0000000000000000-mapping.dmp

Download
memory/1844-100-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1844-98-0x0000000000000000-mapping.dmp

Download
memory/2316-113-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2316-116-0x000000006C702000-0x000000006C716000-memory.dmp

Filesize
80KB

Download
memory/2316-111-0x0000000000000000-mapping.dmp

Download
memory/2596-115-0x0000000000000000-mapping.dmp

Download
memory/2840-120-0x0000000000000000-mapping.dmp

Download
memory/2876-122-0x0000000000000000-mapping.dmp

Download