70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6

Analysis

max time kernel
118s
max time network
155s
platform
windows7_x64
resource
win7v20210408
submitted
11-05-2021 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
Size

1.0MB
MD5

30fd7fadaf2d351f849d841bb15bbc7d
SHA1

8c3d626dd7f709a4a5376b7272937afbe21757fa
SHA256

70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6
SHA512

21501348b7b04d9b42709eb899ee63bb78c2217b95a4693f494921b08e4ff01aaffa67da5c0829e99ed7b4a921ae323d7cdb21d6da2480806f605f6b0864ce4c

Score

8^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exesetup-stub.exeSynaptics.exedownload.exesetup.exemaintenanceservice_installer.exemaintenanceservice_tmp.exedefault-browser-agent.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
1292	setup-stub.exe
1980	Synaptics.exe
828	download.exe
1996	setup.exe
1028	maintenanceservice_installer.exe
1080	maintenanceservice_tmp.exe
1628	default-browser-agent.exe
1820	firefox.exe
1332	firefox.exe
1032	firefox.exe
928	firefox.exe
1756	firefox.exe
2176	firefox.exe
2400	firefox.exe
2672	firefox.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	upx
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe	upx
C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe	upx
C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exesetup-stub.exedownload.exesetup.exeregsvr32.exeregsvr32.exemaintenanceservice_installer.exedefault-browser-agent.exe

pid	process
1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
1292	setup-stub.exe
828	download.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1896	regsvr32.exe
1896	regsvr32.exe
1896	regsvr32.exe
1896	regsvr32.exe
1896	regsvr32.exe
1896	regsvr32.exe
1896	regsvr32.exe
1992	regsvr32.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1028	maintenanceservice_installer.exe
1028	maintenanceservice_installer.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1996	setup.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe
1628	default-browser-agent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup-stub.exesetup.exemaintenanceservice_tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\META-INF\cose.manifest	setup.exe
File created	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nss9662.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	maintenanceservice_tmp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\META-INF\manifest.mf	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\META-INF\mozilla.sf	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsc66C2.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\META-INF\cose.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	setup.exe
File created	C:\Program Files\Mozilla Firefox\META-INF\mozilla.rsa	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsc66C0.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exesetup.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "AsyncIHandlerControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ = "IGeckoBackChannel"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\FriendlyTypeName = "Firefox Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\FriendlyTypeName = "Firefox URL"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\DDEEXEC	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ = "ISimpleDOMText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface\ = "{CE30F77E-8847-44F0-A648-A9656BD89C0D}"	regsvr32.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

setup-stub.exeSynaptics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

maintenanceservice_tmp.exe

pid process

1080 maintenanceservice_tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 1332 firefox.exe
Token: SeDebugPrivilege 1332 firefox.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

setup-stub.exefirefox.exe

pid process

1292 setup-stub.exe
1332 firefox.exe
1332 firefox.exe
1332 firefox.exe
1332 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1332 firefox.exe
1332 firefox.exe
1332 firefox.exe

pid	process
1080	maintenanceservice_tmp.exe

description	pid	process
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe

pid	process
1292	setup-stub.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe

pid	process
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1628 wrote to memory of 1184	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
PID 1628 wrote to memory of 1184	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
PID 1628 wrote to memory of 1184	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
PID 1628 wrote to memory of 1184	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1184 wrote to memory of 1292	1184	._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	setup-stub.exe
PID 1628 wrote to memory of 1980	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	Synaptics.exe
PID 1628 wrote to memory of 1980	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	Synaptics.exe
PID 1628 wrote to memory of 1980	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	Synaptics.exe
PID 1628 wrote to memory of 1980	1628	70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe	Synaptics.exe
PID 1292 wrote to memory of 828	1292	setup-stub.exe	download.exe
PID 1292 wrote to memory of 828	1292	setup-stub.exe	download.exe
PID 1292 wrote to memory of 828	1292	setup-stub.exe	download.exe
PID 1292 wrote to memory of 828	1292	setup-stub.exe	download.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 828 wrote to memory of 1996	828	download.exe	setup.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 952	1996	setup.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 952 wrote to memory of 1896	952	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 1996 wrote to memory of 624	1996	setup.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 624 wrote to memory of 1992	624	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1996 wrote to memory of 1028	1996	setup.exe	maintenanceservice_installer.exe
PID 1028 wrote to memory of 1080	1028	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1028 wrote to memory of 1080	1028	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1028 wrote to memory of 1080	1028	maintenanceservice_installer.exe	maintenanceservice_tmp.exe

C:\Users\Admin\AppData\Local\Temp\70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
"C:\Users\Admin\AppData\Local\Temp\70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\7zS0A4EB074\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe
      "C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\setup.exe
        
        .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\config.ini
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1896
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1992
      - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
      - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
      4⤵
      Executes dropped EXE
      PID:1820
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1332
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.0.1192591513\1682129501" -parentBuildID 20210504152106 -prefsHandle 1448 -prefMapHandle 1432 -prefsLen 1 -prefMapSize 233238 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1524 gpu
        6⤵
        Executes dropped EXE
        
        PID:1032
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.6.108934617\93252596" -childID 1 -isForBrowser -prefsHandle 2016 -prefMapHandle 2012 -prefsLen 1195 -prefMapSize 233238 -parentBuildID 20210504152106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2028 tab
        6⤵
        Executes dropped EXE
        
        PID:928
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.13.2128757980\514871960" -childID 2 -isForBrowser -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 1195 -prefMapSize 233238 -parentBuildID 20210504152106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2232 tab
        6⤵
        Executes dropped EXE
        
        PID:1756
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.20.1213820736\1462846255" -parentBuildID 20210504152106 -prefsHandle 2484 -prefMapHandle 2488 -prefsLen 1304 -prefMapSize 233238 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2500 rdd
        6⤵
        Executes dropped EXE
        
        PID:2176
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.24.2074050990\1478817881" -childID 3 -isForBrowser -prefsHandle 2000 -prefMapHandle 1996 -prefsLen 1465 -prefMapSize 233238 -parentBuildID 20210504152106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2196 tab
        6⤵
        Executes dropped EXE
        
        PID:2400
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.31.1603212569\1355701712" -childID 4 -isForBrowser -prefsHandle 3752 -prefMapHandle 3776 -prefsLen 10411 -prefMapSize 233238 -parentBuildID 20210504152106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3784 tab
        6⤵
        Executes dropped EXE
        
        PID:2672
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
46b247fca1cd3f02cbd15ac903c5350b

SHA1
8492c327773b05b599c9091d266d53e6fba576be

SHA256
bc7d7cb82d5fea62954430f7e237b064ff341394701e63226d89f0c0cf95c4bf

SHA512
976d72068d438c66f65b043466870ff7349fe0e634b6bed555992cc587edaeb42b2d78996a5d1d74aaf0a7e3ffa972bf8765956dca8eaa7a072be5d869016d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe

MD5
9e856bf436c3b746f73895b6635439ff

SHA1
75f6aa967a6524cf902f057e4e47703c77f1f932

SHA256
e5ff5db8090b24c5dfeb68dbaa8de1c2895a2cd68845f41c494a1e4a38d93f98

SHA512
e4ca2622cc5554e99207dd2330ff064901b288a34b7be7aaffaa1689cfc0c7e4963ac3322cf587050b37f9e3882d94d3e1d94aaf185c076ee324dd2a57d2b1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe

MD5
9e856bf436c3b746f73895b6635439ff

SHA1
75f6aa967a6524cf902f057e4e47703c77f1f932

SHA256
e5ff5db8090b24c5dfeb68dbaa8de1c2895a2cd68845f41c494a1e4a38d93f98

SHA512
e4ca2622cc5554e99207dd2330ff064901b288a34b7be7aaffaa1689cfc0c7e4963ac3322cf587050b37f9e3882d94d3e1d94aaf185c076ee324dd2a57d2b1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A4EB074\setup-stub.exe

MD5
a76b09c51e1e8406cebf9dc4756bf922

SHA1
991e2670f5601240c37c13b29bd85b67a6c76398

SHA256
889237e20913935ddd66733c299d4aacd1fdeb0dd039b043a59570ae05a4f9fe

SHA512
637a852b0830bbb691e492d8d82e96353fe1f68378942c835d457573bde71ea5665c1216e73854a4e808e8929c49ff3b7357cc127b452998196fc62c2b37e544

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A4EB074\setup-stub.exe

MD5
a76b09c51e1e8406cebf9dc4756bf922

SHA1
991e2670f5601240c37c13b29bd85b67a6c76398

SHA256
889237e20913935ddd66733c299d4aacd1fdeb0dd039b043a59570ae05a4f9fe

SHA512
637a852b0830bbb691e492d8d82e96353fe1f68378942c835d457573bde71ea5665c1216e73854a4e808e8929c49ff3b7357cc127b452998196fc62c2b37e544

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\Accessible.tlb

MD5
e49aeb412aab7c49a27e6feaa0ca40ce

SHA1
6a2f6ea9facc48a3f736e03fda2c1ce44b744af3

SHA256
754fd922f8c93b66f723c30d39083a6a1fe33fa4b6439d55ad2459be40c3151e

SHA512
8c3f957d032fa8edb523cd3f473a57e2cc020c9e6e33aea183cad8b435777660f4c7e87ba62c67bbb1aef726d109f0f34b2d86c159ca9bd98bfad43c89af7ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\AccessibleHandler.dll

MD5
27479817764ff917c3a126625ca8d3ce

SHA1
58f20a3eb275b0c4ffefef4d5f26c224de6acc0a

SHA256
86aefd355fb15d641fecab8a02cc7917810ac5625d4bfdf72c85b20ae9c97e0d

SHA512
bcb7af8a0d7c376b4f019173e73d2a2dd73a4214dac6b14a1b52218668987a04a5d8872cf4f5b505717846749488bc19b5ea107c0ec3040b9b569780cd9fb460

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\AccessibleMarshal.dll

MD5
c080c78d7300d6a91f1da20b9a93e3ac

SHA1
52b62a17631d36d96d4aff6a58430c6fb4e4f199

SHA256
69b210dfc1cddd2517e97d5873aaac3cd21c574899b35140657142369879f4c3

SHA512
a73dba4b7523a7cfa981d74960606e680c056fce207bd2e226e99670626e83e6a9786474c473a04bdfbee55736035457c647a7148f8c25b6f491b7124be42d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\IA2Marshal.dll

MD5
b75e81a2de12a43f25a0b7563f16733f

SHA1
385112d3151ef80f1007a825bfd0510d52d6c2b4

SHA256
afaf68e5d0f460be8ad1799958110805d782f2220178b539c908de4ca7ee2d42

SHA512
eda62d834f025ef1fb811928a9be5d42e702cd5871c726751bc70a0f6499b73c4e21e0cc54466f0d667e2f827a95c8f84b21413529c0abbf2028cb2750be2594

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-core-file-l1-2-0.dll

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-core-file-l2-1-0.dll

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-core-localization-l1-2-0.dll

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-core-processthreads-l1-1-1.dll

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-core-synch-l1-2-0.dll

MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-core-timezone-l1-1-0.dll

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-conio-l1-1-0.dll

MD5
a668c5ee307457729203ae00edebb6b3

SHA1
2114d84cf3ec576785ebbe6b2184b0d634b86d71

SHA256
a95b1af74623d6d5d892760166b9bfac8926929571301921f1e62458e6d1a503

SHA512
73dc1a1c2ceb98ca6d9ddc7611fc44753184be00cfba07c4947d675f0b154a09e6013e1ef54ac7576e661fc51b4bc54fdd96a0c046ab4ee58282e711b1854730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-convert-l1-1-0.dll

MD5
9ddea3cc96e0fdd3443cc60d649931b3

SHA1
af3cb7036318a8427f20b8561079e279119dca0e

SHA256
b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5

SHA512
1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-environment-l1-1-0.dll

MD5
39325e5f023eb564c87d30f7e06dff23

SHA1
03dd79a7fbe3de1a29359b94ba2d554776bdd3fe

SHA256
56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a

SHA512
087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-filesystem-l1-1-0.dll

MD5
228c6bbe1bce84315e4927392a3baee5

SHA1
ba274aa567ad1ec663a2f9284af2e3cb232698fb

SHA256
ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065

SHA512
37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-heap-l1-1-0.dll

MD5
1776a2b85378b27825cf5e5a3a132d9a

SHA1
626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df

SHA256
675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee

SHA512
541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-locale-l1-1-0.dll

MD5
034379bcea45eb99db8cdfeacbc5e281

SHA1
bbf93d82e7e306e827efeb9612e8eab2b760e2b7

SHA256
8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65

SHA512
7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-math-l1-1-0.dll

MD5
8da414c3524a869e5679c0678d1640c1

SHA1
60cf28792c68e9894878c31b323e68feb4676865

SHA256
39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672

SHA512
6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-multibyte-l1-1-0.dll

MD5
19d7f2d6424c98c45702489a375d9e17

SHA1
310bc4ed49492383e7c669ac9145bda2956c7564

SHA256
a6b83b764555d517216e0e34c4945f7a7501c1b7a25308d8f85551fe353f9c15

SHA512
01c09edef90c60c9e6cdabff918f15afc9b728d6671947898ce8848e3d102f300f3fb4246af0ac9c6f57b3b85b24832d7b40452358636125b61eb89567d3b17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-private-l1-1-0.dll

MD5
3d139f57ed79d2c788e422ca26950446

SHA1
788e4fb5d1f46b0f1802761d0ae3addb8611c238

SHA256
dc25a882ac454a0071e4815b0e939dc161ba73b5c207b84afd96203c343b99c7

SHA512
12ed9216f44aa5f245c707fe39aed08dc18ea675f5a707098f1a1da42b348a649846bc919fd318de7954ea9097c01f22be76a5d85d664ef030381e7759840765

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-process-l1-1-0.dll

MD5
9d3d6f938c8672a12aea03f85d5330de

SHA1
6a7d6e84527eaf54d6f78dd1a5f20503e766a66c

SHA256
707c9a384440d0b2d067fc0335273f8851b02c3114842e17df9c54127910d7fb

SHA512
0e1681b16cd9af116bcc5c6b4284c1203b33febb197d1d4ab8a649962c0e807af9258bde91c86727910624196948e976741411843dd841616337ea93a27de7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-runtime-l1-1-0.dll

MD5
fb0ca6cbfff46be87ad729a1c4fde138

SHA1
2c302d1c535d5c40f31c3a75393118b40e1b2af9

SHA256
1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df

SHA512
99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-stdio-l1-1-0.dll

MD5
d5166ab3034f0e1aa679bfa1907e5844

SHA1
851dd640cb34177c43b5f47b218a686c09fa6b4c

SHA256
7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5

SHA512
8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-string-l1-1-0.dll

MD5
ad99c2362f64cde7756b16f9a016a60f

SHA1
07c9a78ee658bfa81db61dab039cffc9145cc6cb

SHA256
73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa

SHA512
9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-time-l1-1-0.dll

MD5
9b79fda359a269c63dcac69b2c81caa4

SHA1
a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb

SHA256
4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138

SHA512
e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\api-ms-win-crt-utility-l1-1-0.dll

MD5
70e9104e743069b573ca12a3cd87ec33

SHA1
4290755b6a49212b2e969200e7a088d1713b84a2

SHA256
7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95

SHA512
e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\application.ini

MD5
19c0be2170d97cca5fbf489c0cf1801f

SHA1
7c0858fa5872fbc93364fd63623ce5cf0adf1c22

SHA256
1c0f85bfafb950ace7656f91d342a37eeb13e7cc8b1fa0f979414d6056d4542a

SHA512
1f299a568b2dbb959b48973cf3dddaca1d66ffc9ce20f76ebe22770270ee20f96ac04eafca478fdedcc21e5908dc9055d5da59c886f056889d6eb66cc16df59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\breakpadinjector.dll

MD5
ef601720e9cb813170489a4c6b0b8037

SHA1
7fdfad5d812ef4f80e2a9e6eb2089ec348f991af

SHA256
c5280d289b2f984050ceffd76e2d4211f95a3872c29f526d505b8463be48562f

SHA512
8ea28814f9a69008b3bf946f3f55fb90f388b559935a8eb49b146ec80d960ddc91db6209fb2b744c6b41603cf0b21acba5a9106bdcce04a2959ae8370c3c0ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\crashreporter.exe

MD5
e875e3f280195fc5c052994b1589a626

SHA1
b5a1b40c1372b6e3e9c25e57d71f2ade508fc29b

SHA256
11474405c0faa8512c9293bf935809003edddd6c254e0c5ca5ef7201b3fc3662

SHA512
2a1c50e02a54ed5309dfa6643f538d15eacbd839b4ca04d45403b3891c4db8c1ae7df3f87e8047499c176f79fab90238296ccabf4a4e50a00c1846453cd527c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\crashreporter.ini

MD5
ed21be8f436feb7fd6d526c79f829246

SHA1
23a4e401028d855c2504ac485043d48e53ed179e

SHA256
4d817653d910a0264f56eb2bbb0d82f962657c7c7702b580eb740487e5467b1b

SHA512
9d68055efc732417c74d188325608c744259199a145393136173d32e9856d571c1dad21a8e35f421b2038baec8d84a73de189e96f2fda16a5aff101ee1b5d1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\d3dcompiler_47.dll

MD5
587a415cd5ac2069813adef5f7685021

SHA1
ca0e2fe1922b3cdc9e96e636a73e5c85a838e863

SHA256
2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851

SHA512
0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\default-browser-agent.exe

MD5
11096bbcfc25931e8c90b2aabb5a0b68

SHA1
e94b204980fcd7f4fd9075cd0766856fab716008

SHA256
e8cbc4a9d9861470474808ee7bee241f5975f4c01836f6849ec96fe46c58db0f

SHA512
f4c48dcc8f2c7b5d2872be3ea65f22f36eb3fd4da8f17463bb081a7e0f7aa7b3a851c84a15556a445adce704c83696d3037b064c02ddb57074968b07837ab738

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\defaultagent.ini

MD5
88d7d32ad20bf89bb7785bd07c638e17

SHA1
2bd40f0b69c2edc64ab6b7e6dd2e7ca6a6fea6f6

SHA256
5cf0660a8f2624433c8c1022f93ff3c94c5611ccbc93118ee053566590eb53f4

SHA512
7bb3328ce42e7bb546a2192ade1e8e153408912f3582c27dc0c5cbe1c2d807365aaf4206c3ceab6cb3d6c34d3155125cb7509dbf800ecf70ab35f8a64f764010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\defaultagent_localized.ini

MD5
f0eba8ef37d6ce5b1ee45e4928964ea6

SHA1
afafac598892104d5ec353bf6b5f8f252dc9ab0e

SHA256
ab5d566c67e1be571475b54813e2e4dac674f7513695053bedd278dc41666f7f

SHA512
bcd1385feca8c1f97faaa879e0e2bd703b589cbb77532c8acd5464189fe08ac080a41964d0dadd86f40742f4251abbea655b9c0832b37e0b4045475ab32a19f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\dependentlibs.list

MD5
c35d2da6df0f7abb4d0bd534c5d5b6b0

SHA1
a4da4ca15d97746796412c2bad3fc8fbea716869

SHA256
ce638d544efe50176888e17bfbf78f118dc733ce5c2fee2eb66436ba96341345

SHA512
d27f58fb344b2303db2f4a48a153c9f11eec1663020ba8b5b973fd001c4a8c27c11e29a54b6d1913888b4ddf376aa7f45c8218378abe39a64ebdae4feb6b25cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\firefox.VisualElementsManifest.xml

MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\firefox.exe

MD5
aac58dd2607d3b9e6aa40fd5dc1cc280

SHA1
48d6aec45f2bd5cdcbef06111d5bb271faa8bb85

SHA256
e614fa059d199b37feb8268ff6550aaf8465621b72834db0deb27bf4acff3896

SHA512
dd2d1cf026b274c954f430027ca1eca6b8d49130f56c523a061b49b7ddb364035474fef3fdca7b5b511d7003d75e686b3f385d8dee68feb17f1adc5f1001e3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\firefox.exe.sig

MD5
70ba299ce8da1f2c48be4fbc72ed8685

SHA1
80c8e2d7d667ec109095f4ef164aee2421cbfb96

SHA256
66c9c975b0086f43193d6ba7cdc91992561fa0196a4dca9bb4c790ac3954e3a7

SHA512
31ee90d91172d83626d3cc2746d289a095c3a2de4979db95517854ca921e6bb60eef9ca9d7a4071fe508bdb14a71955e76fcf6a1ebfa5ad4283a956ad4cb3078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\core\freebl3.dll

MD5
d7cdf15ea1c81d5bf285b70f67f7370e

SHA1
ed9bea31eed690d80c3925fc7feb0d30ce1c1b0f

SHA256
eab4aeed622d3d79b3d9a6ead403579b347efdc5fcd975c11fd1b65a25d0a61c

SHA512
49c696fc63aaba0628aaf1503ccd96dbca638cad9a0c8538924dd4cf41e9a783ecb328b9a54f2cbe9d62feba228badbfae98ddfc1fa60fcfffa273ed942418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\setup.exe

MD5
85142a31fcef5cf7e57c3cd67fe17cde

SHA1
11fe14b5591fa6d85c6094a25755f374c6b2ed60

SHA256
582f2fe66e3ec42727de7473618aad3b1e9e646667dd8754a367a570a6c80272

SHA512
5f3cf15648d5aac819a23f7e67423092711affd31a7160ae4946995e3af85e36d30b93d60bd9de2755f051a975af804bb9d818a734080a143f314678ed002c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC333FA94\setup.exe

MD5
85142a31fcef5cf7e57c3cd67fe17cde

SHA1
11fe14b5591fa6d85c6094a25755f374c6b2ed60

SHA256
582f2fe66e3ec42727de7473618aad3b1e9e646667dd8754a367a570a6c80272

SHA512
5f3cf15648d5aac819a23f7e67423092711affd31a7160ae4946995e3af85e36d30b93d60bd9de2755f051a975af804bb9d818a734080a143f314678ed002c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\config.ini

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe

MD5
9ca1d7866e9ea13afdeb7915d81b4e21

SHA1
11db1c896f9daa9f6589a979ea4bde25d4b900a5

SHA256
0f77f9e38e83957519004f1af6a821b21d20e903ae0b15da34ff2a3a66b8aacd

SHA512
d183f7be466c2d47c1fefc189d06bff147b937931410444fe213463fd95c1369782030cc23efdfb27fa111fab1028da894612dbd10352367d978f972dd35c29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe

MD5
9ca1d7866e9ea13afdeb7915d81b4e21

SHA1
11db1c896f9daa9f6589a979ea4bde25d4b900a5

SHA256
0f77f9e38e83957519004f1af6a821b21d20e903ae0b15da34ff2a3a66b8aacd

SHA512
d183f7be466c2d47c1fefc189d06bff147b937931410444fe213463fd95c1369782030cc23efdfb27fa111fab1028da894612dbd10352367d978f972dd35c29c

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
46b247fca1cd3f02cbd15ac903c5350b

SHA1
8492c327773b05b599c9091d266d53e6fba576be

SHA256
bc7d7cb82d5fea62954430f7e237b064ff341394701e63226d89f0c0cf95c4bf

SHA512
976d72068d438c66f65b043466870ff7349fe0e634b6bed555992cc587edaeb42b2d78996a5d1d74aaf0a7e3ffa972bf8765956dca8eaa7a072be5d869016d0c

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
46b247fca1cd3f02cbd15ac903c5350b

SHA1
8492c327773b05b599c9091d266d53e6fba576be

SHA256
bc7d7cb82d5fea62954430f7e237b064ff341394701e63226d89f0c0cf95c4bf

SHA512
976d72068d438c66f65b043466870ff7349fe0e634b6bed555992cc587edaeb42b2d78996a5d1d74aaf0a7e3ffa972bf8765956dca8eaa7a072be5d869016d0c

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_70818ab8a38bcb65be92612c6e7304d3927315058eb16a31ec4dc44ee4b3f6a6.exe

MD5
9e856bf436c3b746f73895b6635439ff

SHA1
75f6aa967a6524cf902f057e4e47703c77f1f932

SHA256
e5ff5db8090b24c5dfeb68dbaa8de1c2895a2cd68845f41c494a1e4a38d93f98

SHA512
e4ca2622cc5554e99207dd2330ff064901b288a34b7be7aaffaa1689cfc0c7e4963ac3322cf587050b37f9e3882d94d3e1d94aaf185c076ee324dd2a57d2b1b5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A4EB074\setup-stub.exe

MD5
a76b09c51e1e8406cebf9dc4756bf922

SHA1
991e2670f5601240c37c13b29bd85b67a6c76398

SHA256
889237e20913935ddd66733c299d4aacd1fdeb0dd039b043a59570ae05a4f9fe

SHA512
637a852b0830bbb691e492d8d82e96353fe1f68378942c835d457573bde71ea5665c1216e73854a4e808e8929c49ff3b7357cc127b452998196fc62c2b37e544

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC333FA94\setup.exe

MD5
85142a31fcef5cf7e57c3cd67fe17cde

SHA1
11fe14b5591fa6d85c6094a25755f374c6b2ed60

SHA256
582f2fe66e3ec42727de7473618aad3b1e9e646667dd8754a367a570a6c80272

SHA512
5f3cf15648d5aac819a23f7e67423092711affd31a7160ae4946995e3af85e36d30b93d60bd9de2755f051a975af804bb9d818a734080a143f314678ed002c53

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\CertCheck.dll

MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\CityHash.dll

MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\InetBgDL.dll

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\System.dll

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\UAC.dll

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\UserInfo.dll

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\UserInfo.dll

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\download.exe

MD5
9ca1d7866e9ea13afdeb7915d81b4e21

SHA1
11db1c896f9daa9f6589a979ea4bde25d4b900a5

SHA256
0f77f9e38e83957519004f1af6a821b21d20e903ae0b15da34ff2a3a66b8aacd

SHA512
d183f7be466c2d47c1fefc189d06bff147b937931410444fe213463fd95c1369782030cc23efdfb27fa111fab1028da894612dbd10352367d978f972dd35c29c

Download Submit
\Users\Admin\AppData\Local\Temp\nsc65D5.tmp\nsDialogs.dll

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
\Users\Admin\AppData\Local\Temp\nsxD49E.tmp\System.dll

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsxD49E.tmp\UAC.dll

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
memory/624-141-0x0000000000000000-mapping.dmp

Download
memory/828-87-0x0000000000000000-mapping.dmp

Download
memory/928-162-0x0000000000000000-mapping.dmp

Download
memory/952-137-0x0000000000000000-mapping.dmp

Download
memory/952-138-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1028-145-0x0000000000000000-mapping.dmp

Download
memory/1032-157-0x0000000000000000-mapping.dmp

Download
memory/1032-170-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1080-147-0x0000000000000000-mapping.dmp

Download
memory/1184-63-0x0000000000000000-mapping.dmp

Download
memory/1292-81-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/1292-67-0x0000000000000000-mapping.dmp

Download
memory/1332-155-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1628-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1628-151-0x0000000000000000-mapping.dmp

Download
memory/1756-165-0x0000000000000000-mapping.dmp

Download
memory/1820-154-0x0000000000000000-mapping.dmp

Download
memory/1896-139-0x0000000000000000-mapping.dmp

Download
memory/1980-82-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1980-72-0x0000000000000000-mapping.dmp

Download
memory/1992-143-0x0000000000000000-mapping.dmp

Download
memory/1996-153-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1996-150-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/1996-149-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1996-136-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1996-91-0x0000000000000000-mapping.dmp

Download
memory/2176-168-0x0000000000000000-mapping.dmp

Download
memory/2176-171-0x0000000001400000-0x000000000140A000-memory.dmp

Filesize
40KB

Download
memory/2176-172-0x00000000745C0000-0x00000000746B1000-memory.dmp

Filesize
964KB

Download
memory/2400-174-0x0000000000000000-mapping.dmp

Download
memory/2672-177-0x0000000000000000-mapping.dmp

Download