8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe

Analysis

max time kernel
140s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe
Size

325KB
MD5

8e243f0d912015e58b3a8e936ba9f2be
SHA1

91edd256caa08d5a641ef78684720427a77c6e78
SHA256

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe
SHA512

c845d94b2b2a4e90970165438870c5da842dc94ef59e24e80377eff5d3593bb5cab3e1f2c549883965940aa49a91aa0519fb33c3116112e05b6751d0e2f8ec36

Score

8^/10

discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

setup-stub.exedownload.exesetup.exemaintenanceservice_installer.exemaintenanceservice_tmp.exedefault-browser-agent.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
1972	setup-stub.exe
928	download.exe
276	setup.exe
1620	maintenanceservice_installer.exe
1600	maintenanceservice_tmp.exe
436	default-browser-agent.exe
788	firefox.exe
904	firefox.exe
1316	firefox.exe
916	firefox.exe
900	firefox.exe
2248	firefox.exe
2704	firefox.exe
2056	firefox.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe	upx
C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe	upx
C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation firefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

Processes:

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exesetup-stub.exedownload.exesetup.exeregsvr32.exeregsvr32.exemaintenanceservice_installer.exedefault-browser-agent.exe

pid	process
2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
1972	setup-stub.exe
928	download.exe
276	setup.exe
276	setup.exe
276	setup.exe
1672	regsvr32.exe
1672	regsvr32.exe
1672	regsvr32.exe
1672	regsvr32.exe
1672	regsvr32.exe
1672	regsvr32.exe
1672	regsvr32.exe
1648	regsvr32.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
1620	maintenanceservice_installer.exe
1620	maintenanceservice_installer.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
276	setup.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe
436	default-browser-agent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup-stub.exesetup.exemaintenanceservice_installer.exemaintenanceservice_tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	maintenanceservice_installer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsx39D.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\qipcap.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\softokn3.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup-stub.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	maintenanceservice_installer.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	maintenanceservice_tmp.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\removed-files	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\META-INF\mozilla.rsa	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsx39D.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\META-INF\cose.manifest	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	maintenanceservice_tmp.exe
File created	C:\Program Files\Mozilla Firefox\application.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\nss3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\precomplete	setup.exe
File created	C:\Program Files\Mozilla Firefox\META-INF\cose.manifest	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\breakpadinjector.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

setup-stub.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main setup-stub.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ = "ISimpleDOMText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface\ = "{CE30F77E-8847-44F0-A648-A9656BD89C0D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\ = "Firefox URL"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\FriendlyTypeName = "Firefox Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ = "IGeckoBackChannel"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\FriendlyTypeName = "Firefox URL"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "AsyncIHandlerControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ = "IHandlerControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\DDEEXEC	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

setup-stub.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

maintenanceservice_tmp.exe

pid process

1600 maintenanceservice_tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 904 firefox.exe
Token: SeDebugPrivilege 904 firefox.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

setup-stub.exefirefox.exe

pid process

1972 setup-stub.exe
904 firefox.exe
904 firefox.exe
904 firefox.exe
904 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

904 firefox.exe
904 firefox.exe
904 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup-stub.exe

pid process

1972 setup-stub.exe
1972 setup-stub.exe

pid	process
1600	maintenanceservice_tmp.exe

description	pid	process
Token: SeDebugPrivilege	904	firefox.exe
Token: SeDebugPrivilege	904	firefox.exe

pid	process
904	firefox.exe
904	firefox.exe
904	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exesetup-stub.exedownload.exesetup.exeregsvr32.exeregsvr32.exemaintenanceservice_installer.exe

description	pid	process	target process
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 2004 wrote to memory of 1972	2004	8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe	setup-stub.exe
PID 1972 wrote to memory of 928	1972	setup-stub.exe	download.exe
PID 1972 wrote to memory of 928	1972	setup-stub.exe	download.exe
PID 1972 wrote to memory of 928	1972	setup-stub.exe	download.exe
PID 1972 wrote to memory of 928	1972	setup-stub.exe	download.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 928 wrote to memory of 276	928	download.exe	setup.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1952	276	setup.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 1672	1952	regsvr32.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 276 wrote to memory of 1624	276	setup.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 1624 wrote to memory of 1648	1624	regsvr32.exe	regsvr32.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 276 wrote to memory of 1620	276	setup.exe	maintenanceservice_installer.exe
PID 1620 wrote to memory of 1600	1620	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1620 wrote to memory of 1600	1620	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1620 wrote to memory of 1600	1620	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 1620 wrote to memory of 1600	1620	maintenanceservice_installer.exe	maintenanceservice_tmp.exe
PID 276 wrote to memory of 436	276	setup.exe	default-browser-agent.exe
PID 276 wrote to memory of 436	276	setup.exe	default-browser-agent.exe
PID 276 wrote to memory of 436	276	setup.exe	default-browser-agent.exe
PID 276 wrote to memory of 436	276	setup.exe	default-browser-agent.exe
PID 1972 wrote to memory of 788	1972	setup-stub.exe	firefox.exe
PID 1972 wrote to memory of 788	1972	setup-stub.exe	firefox.exe
PID 1972 wrote to memory of 788	1972	setup-stub.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe
"C:\Users\Admin\AppData\Local\Temp\8866811dd8d9383cf6c5db218e2f6aa364a4c3f077423152483cbcc8696c3ffe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\7zS4D795E14\setup-stub.exe
.\setup-stub.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe
"C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\config.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\7zS0A314624\setup.exe
.\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\config.ini
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
5⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:1672

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
5⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:1648

C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
"C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
3⤵
- Executes dropped EXE
PID:788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
4⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="904.0.950712734\1524397944" -parentBuildID 20210721174149 -prefsHandle 1304 -prefMapHandle 1296 -prefsLen 1 -prefMapSize 238311 -appdir "C:\Program Files\Mozilla Firefox\browser" - 904 "\\.\pipe\gecko-crash-server-pipe.904" 1400 gpu
5⤵
- Executes dropped EXE
PID:1316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="904.6.392372599\1123411205" -childID 1 -isForBrowser -prefsHandle 1760 -prefMapHandle 1756 -prefsLen 1897 -prefMapSize 238311 -jsInit 872 285176 -parentBuildID 20210721174149 -appdir "C:\Program Files\Mozilla Firefox\browser" - 904 "\\.\pipe\gecko-crash-server-pipe.904" 1772 tab
5⤵
- Executes dropped EXE
PID:916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="904.13.1968962397\1879366846" -childID 2 -isForBrowser -prefsHandle 1996 -prefMapHandle 1992 -prefsLen 1961 -prefMapSize 238311 -jsInit 872 285176 -parentBuildID 20210721174149 -appdir "C:\Program Files\Mozilla Firefox\browser" - 904 "\\.\pipe\gecko-crash-server-pipe.904" 2008 tab
5⤵
- Executes dropped EXE
PID:900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="904.20.996982594\299994116" -parentBuildID 20210721174149 -prefsHandle 2236 -prefMapHandle 2216 -prefsLen 2042 -prefMapSize 238311 -appdir "C:\Program Files\Mozilla Firefox\browser" - 904 "\\.\pipe\gecko-crash-server-pipe.904" 2248 rdd
5⤵
- Executes dropped EXE
PID:2248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="904.24.1912495381\1255826043" -childID 3 -isForBrowser -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 2144 -prefMapSize 238311 -jsInit 872 285176 -parentBuildID 20210721174149 -appdir "C:\Program Files\Mozilla Firefox\browser" - 904 "\\.\pipe\gecko-crash-server-pipe.904" 1728 tab
5⤵
- Executes dropped EXE
PID:2704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="904.31.875004173\110879610" -childID 4 -isForBrowser -prefsHandle 3668 -prefMapHandle 3708 -prefsLen 9965 -prefMapSize 238311 -jsInit 872 285176 -parentBuildID 20210721174149 -appdir "C:\Program Files\Mozilla Firefox\browser" - 904 "\\.\pipe\gecko-crash-server-pipe.904" 3540 tab
5⤵
- Executes dropped EXE
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\Accessible.tlb
MD5
e49aeb412aab7c49a27e6feaa0ca40ce

SHA1
6a2f6ea9facc48a3f736e03fda2c1ce44b744af3

SHA256
754fd922f8c93b66f723c30d39083a6a1fe33fa4b6439d55ad2459be40c3151e

SHA512
8c3f957d032fa8edb523cd3f473a57e2cc020c9e6e33aea183cad8b435777660f4c7e87ba62c67bbb1aef726d109f0f34b2d86c159ca9bd98bfad43c89af7ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\AccessibleHandler.dll
MD5
b7063448e994f0e5ad14271be100454c

SHA1
7954cab8658ed92f6345cd5bc77cba72e647788e

SHA256
a5617cde894e8982196664d92ed64c3494250218efe77756128cf1a5a1575e4c

SHA512
39a65a5f55c90f8f4fdd9baa8221427eb9d7c808a6ab8397267ff411dccd1874a851f23db94e4ce97f51c07b9a8481dccce8c8f2ac34be06f20d19f6ea41ff79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\AccessibleMarshal.dll
MD5
0ac1b91b55fb60ae2da541b03ee6b167

SHA1
0a5981edc8508c4c383c90abe49c3ff4184c0b86

SHA256
18b28d4666da0c1711c1e5e3d20f3e5526beb1d8318244d8e9563fc59cfdddd9

SHA512
5179913d416abe39c14cf35851da0a9eb593ae787750510f2ff938d4b6d014b5af07eb95e2db183b19710bd8da2bf27497159f5aec99eb75a20a2ebfc88e7711

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\IA2Marshal.dll
MD5
faf56b18dd4ead644abb9493b0f81291

SHA1
805226e6937f1282f3bbde469aee5daf921d6c3c

SHA256
ff424e6510474a9fed79e10888d3ed541a4ee8dd11f927676588dc49d4279f1f

SHA512
482632ca3fcb1f3cc093e5d4a861945cff6732cc9e45d141c19a3d094706f53c2930ef3e35c08ccbb492242473f8968a760770e223bba688579685ce69302f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-core-file-l1-2-0.dll
MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-core-file-l2-1-0.dll
MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-core-localization-l1-2-0.dll
MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-core-processthreads-l1-1-1.dll
MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-core-synch-l1-2-0.dll
MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-core-timezone-l1-1-0.dll
MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-conio-l1-1-0.dll
MD5
a668c5ee307457729203ae00edebb6b3

SHA1
2114d84cf3ec576785ebbe6b2184b0d634b86d71

SHA256
a95b1af74623d6d5d892760166b9bfac8926929571301921f1e62458e6d1a503

SHA512
73dc1a1c2ceb98ca6d9ddc7611fc44753184be00cfba07c4947d675f0b154a09e6013e1ef54ac7576e661fc51b4bc54fdd96a0c046ab4ee58282e711b1854730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-convert-l1-1-0.dll
MD5
9ddea3cc96e0fdd3443cc60d649931b3

SHA1
af3cb7036318a8427f20b8561079e279119dca0e

SHA256
b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5

SHA512
1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-environment-l1-1-0.dll
MD5
39325e5f023eb564c87d30f7e06dff23

SHA1
03dd79a7fbe3de1a29359b94ba2d554776bdd3fe

SHA256
56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a

SHA512
087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-filesystem-l1-1-0.dll
MD5
228c6bbe1bce84315e4927392a3baee5

SHA1
ba274aa567ad1ec663a2f9284af2e3cb232698fb

SHA256
ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065

SHA512
37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-heap-l1-1-0.dll
MD5
1776a2b85378b27825cf5e5a3a132d9a

SHA1
626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df

SHA256
675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee

SHA512
541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-locale-l1-1-0.dll
MD5
034379bcea45eb99db8cdfeacbc5e281

SHA1
bbf93d82e7e306e827efeb9612e8eab2b760e2b7

SHA256
8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65

SHA512
7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-math-l1-1-0.dll
MD5
8da414c3524a869e5679c0678d1640c1

SHA1
60cf28792c68e9894878c31b323e68feb4676865

SHA256
39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672

SHA512
6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-multibyte-l1-1-0.dll
MD5
19d7f2d6424c98c45702489a375d9e17

SHA1
310bc4ed49492383e7c669ac9145bda2956c7564

SHA256
a6b83b764555d517216e0e34c4945f7a7501c1b7a25308d8f85551fe353f9c15

SHA512
01c09edef90c60c9e6cdabff918f15afc9b728d6671947898ce8848e3d102f300f3fb4246af0ac9c6f57b3b85b24832d7b40452358636125b61eb89567d3b17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-private-l1-1-0.dll
MD5
3d139f57ed79d2c788e422ca26950446

SHA1
788e4fb5d1f46b0f1802761d0ae3addb8611c238

SHA256
dc25a882ac454a0071e4815b0e939dc161ba73b5c207b84afd96203c343b99c7

SHA512
12ed9216f44aa5f245c707fe39aed08dc18ea675f5a707098f1a1da42b348a649846bc919fd318de7954ea9097c01f22be76a5d85d664ef030381e7759840765

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-process-l1-1-0.dll
MD5
9d3d6f938c8672a12aea03f85d5330de

SHA1
6a7d6e84527eaf54d6f78dd1a5f20503e766a66c

SHA256
707c9a384440d0b2d067fc0335273f8851b02c3114842e17df9c54127910d7fb

SHA512
0e1681b16cd9af116bcc5c6b4284c1203b33febb197d1d4ab8a649962c0e807af9258bde91c86727910624196948e976741411843dd841616337ea93a27de7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-runtime-l1-1-0.dll
MD5
fb0ca6cbfff46be87ad729a1c4fde138

SHA1
2c302d1c535d5c40f31c3a75393118b40e1b2af9

SHA256
1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df

SHA512
99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-stdio-l1-1-0.dll
MD5
d5166ab3034f0e1aa679bfa1907e5844

SHA1
851dd640cb34177c43b5f47b218a686c09fa6b4c

SHA256
7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5

SHA512
8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-string-l1-1-0.dll
MD5
ad99c2362f64cde7756b16f9a016a60f

SHA1
07c9a78ee658bfa81db61dab039cffc9145cc6cb

SHA256
73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa

SHA512
9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-time-l1-1-0.dll
MD5
9b79fda359a269c63dcac69b2c81caa4

SHA1
a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb

SHA256
4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138

SHA512
e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\api-ms-win-crt-utility-l1-1-0.dll
MD5
70e9104e743069b573ca12a3cd87ec33

SHA1
4290755b6a49212b2e969200e7a088d1713b84a2

SHA256
7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95

SHA512
e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\application.ini
MD5
969d15f694a3cffe691c83a4e1ba70f7

SHA1
e0644341d842f97d072c1dae51fe77d469aa3c82

SHA256
60b705825fad5665386317b9ac0a3efe746e96912739b920fc78370f6b4e650a

SHA512
b2823351f09308ac68ea407b6f6a4233a0393387e79bad9262add04c89f8ceb9852abf4cd7752a3b72e13ea2762e21a58dd7ee27e2592e2446c7ace1284d42a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\breakpadinjector.dll
MD5
c687b5ea490513aa9c7a34f465a6f736

SHA1
359a5df109cf97b08c7baa965ba41559d9a0a7c5

SHA256
8e142704e8346c2efb6030367b6d414c9eb08e994d44cacb3a84bf7b42a2bc8b

SHA512
dfa652e9a25253482fa9519700f29348058fcc57d5a1cc0376326079ad651b477428165154a153a25546c9d8318826d0ad6bc68b7eb952d33e1d9535b9d7ba59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\crashreporter.exe
MD5
91278abcb1cb4d024a4d7dfe972dcf99

SHA1
f8e82992f2cc61fe4e713fcea02899a693b8ed66

SHA256
caee668001a2b0f05f17d8d01e6fe2409752c2343d44eef1c8db526ef7a70380

SHA512
9d92f2a247ea39410adb75298ef76bc33c60eba75430665c08172744ed8f2d11ab580c91f2517a5007d8e758b51f36d09c1a561c00fce9da45d910d6046e7ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\crashreporter.ini
MD5
31cc1b63bb6fce532298b3f03137f3a7

SHA1
a9e5d23381e55d65891006801cce49fb61f3ba6a

SHA256
2305896688500e1d486bc2c5a6004a748b0953303965c08df9782a0c09e5801b

SHA512
cc10fade29491d5699db30f91435d2def960acbab780155069b79c6a17c323bf574543fc27690af8f9121f69abe23087921b3ff90322ff86464678f5fc43aa49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\d3dcompiler_47.dll
MD5
587a415cd5ac2069813adef5f7685021

SHA1
ca0e2fe1922b3cdc9e96e636a73e5c85a838e863

SHA256
2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851

SHA512
0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\default-browser-agent.exe
MD5
c10ba7fa7ac3615571af76dd808048b9

SHA1
bca8dde6dbfdb292d76453eb76bacea6380a3406

SHA256
3ffe64054333e2f845519cfcbf0794fabc176815c622c622e1a2cfc318936041

SHA512
3d22ab7014af5e699971c121d9cc4a867fb556988ae4d40bf57cbd9b403d04d05c88b6d187fa1598cd585f62906e86b8a10a58c3370e557e08876cedee60330c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\defaultagent.ini
MD5
88d7d32ad20bf89bb7785bd07c638e17

SHA1
2bd40f0b69c2edc64ab6b7e6dd2e7ca6a6fea6f6

SHA256
5cf0660a8f2624433c8c1022f93ff3c94c5611ccbc93118ee053566590eb53f4

SHA512
7bb3328ce42e7bb546a2192ade1e8e153408912f3582c27dc0c5cbe1c2d807365aaf4206c3ceab6cb3d6c34d3155125cb7509dbf800ecf70ab35f8a64f764010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\defaultagent_localized.ini
MD5
724ebfb396df8880ee1cbef16e3d5741

SHA1
93ef67800c339fe02218f9a3659d5e45c7688888

SHA256
bba0bc0cdb8699a24eba9d97294d3bb1717fb03204b3b91fb69c35d6b9284003

SHA512
ee6b197d39cb1772ca84a92a6a74e9e35583a19fed1b362b79d3d9b7bccf47909b2b3c9f20318d143f68532f37914674e8cc607f7371350aef97564f4a74c494

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\dependentlibs.list
MD5
c35d2da6df0f7abb4d0bd534c5d5b6b0

SHA1
a4da4ca15d97746796412c2bad3fc8fbea716869

SHA256
ce638d544efe50176888e17bfbf78f118dc733ce5c2fee2eb66436ba96341345

SHA512
d27f58fb344b2303db2f4a48a153c9f11eec1663020ba8b5b973fd001c4a8c27c11e29a54b6d1913888b4ddf376aa7f45c8218378abe39a64ebdae4feb6b25cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\firefox.VisualElementsManifest.xml
MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\firefox.exe
MD5
9ae936145bc580d6ea26d9cac8866fb4

SHA1
62fbed94783643beca6ab81d5e78e173e979d9d5

SHA256
61c63cd267e6d8e9c2b7c4f957190c21f4397ac7eba481f78bfe6b26ef2553a3

SHA512
1ee0fc0c9aff5e43509535c4edd77a2b25c689235fb62230bb8f60b49de675cc0aca423f73e0ec0ac5969e862a0b380c6ceb0ce534e997cb32031da701382e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\firefox.exe.sig
MD5
2134694c4efb054db5974ec70289f492

SHA1
41e13f92950113e8da8b05786bf1a3861700b49e

SHA256
df88b4e47a9627335ddc4cb730bfa34e2bc1a93d7bff3be50a72a36fa70a87dd

SHA512
188040c012dd075ee216e7b75ef9fc5592bc390cab5abefc66c5e550e482d96cad1a958fc6231758032103078de9b08db43f5c11f18ad34eb422a3245ea711ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\freebl3.dll
MD5
6e13d58c2e41dd945fd6d49e80ec4f32

SHA1
ab9a973028e83fd7aab320aef27815ab86ad016e

SHA256
68d493194c95035b30da725c10bd16ad42ad95e43948db0a040702b09aeb982b

SHA512
c31ee98ddb2642cb1ffa9e78afa6fa9a75469ae7b6dbc8dbaa6194f4681f91973f03a14f63c7fce4490cdd99f4eb1ea31dcc46aaba7a5ae7415e5f943eb9ae77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\lgpllibs.dll
MD5
d3ef97e43aed06715aa98a96826f55a0

SHA1
232e27db715a5aeb30844ca2e4bf63becd79a973

SHA256
54fa3c52648bab665933f7a127e176e35947074523b853487374d7fa33c41e6e

SHA512
69cb9c9ca17c4366bda92021fdccd661044dc675dff4f320c36bfdd28cdfd3978de895e7f284af1b0da2dd894d2d6f1eb8f74aff3734890abed1f2972f62ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\libEGL.dll
MD5
70aaa8d2b66d32a25dae99b0a031c817

SHA1
1f4e38834fd8df6bd7d28eb0798760bd5781e96b

SHA256
b43e8db66bf34685ffd5d55fba72dadc9d9e54cf9ca7948d5fac7298bac4ef76

SHA512
899a1be651c6d55721b04b0d45ca6ab229cf7adcd711ad6e5a1c65c94ca84494ad0351fb02191b509eb9d6b2f728da91ccb50625b5ade852bd042ac96abbbeee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\libGLESv2.dll
MD5
b2f3c3a67f8b05dc121434ea2b63e114

SHA1
12e954d5988ad7a61e22578e765befe03ea97296

SHA256
6c7fa40f11e4008963df3e39e2a0dcef8c47e1274858791ca60d2a67ef2c1f9a

SHA512
320c1e35dd03933bf3cd46de7aad9bf2b9c78f324adc4d052e11d775e2d9e60977571854e733120894800ac16e452518b598138bb8a7ed8966ee81ac4e088658

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\locale.ini
MD5
176c004f1c59a064cb78ea94d0ad82e7

SHA1
b3a7ef3ddbfbc29afe54729be1323b58e1cc77f8

SHA256
e2c21be2d50981966ee839ff84bf40cface9018a86693277f5c1685576275521

SHA512
70428d69118381b467a310a71ca4567a17d3fe035bc062b907180caccaa8e6ad19741fa22bbb44db726a684497c4babb7bfa41492ae02e38d4dee5dd65dba56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\maintenanceservice.exe
MD5
ff7fd85c7bec8eb27ff90fc3efa7c04a

SHA1
4089cb0060689f65542d4ed40660a2cc23e7548c

SHA256
3807343502049d7f7ad839afd3dfb4be61e0bdcacdec49048f8d608bfa3f16a8

SHA512
d5e6d28cda4f6c3fc9b75360e934248c41ba79e7df07f94f68150bcbccc70d5f8e06fcecb9af967c9bf06fa1c086c2e820a9e9aff8d42de99950a04175a30d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\core\maintenanceservice_installer.exe
MD5
844bdb7655e05941d1c0920217401bea

SHA1
e212979ff0574522afe1456d6dcc8d7b6eb822d2

SHA256
a3f2ebfea48a65658e85e9bb2a9e3f28e27839e665090e48e1a387147e35443f

SHA512
4a7758c1e060003c13d1819598ddf7a834b957158d604f451d32d34402cd9a87290dd1e3305000d34784b9508df573c972fb921f571d2e01668a63d477305c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\setup.exe
MD5
a2d047194323f716100411294027e993

SHA1
f79f3cf50ca383033a10a5b3d9a56b2788152700

SHA256
90159447ec903913bd2834dd724f67b0f92d2e927af81c6eb1a40ecece634c2c

SHA512
119cdc2dbe861c5a3b3bf87a77424a2e1dc7f0eb2b1c0597cb8b560d2b8d3e72e029b402433769d6081b8d8d4a72594223a71314afbdda344d442d69ba95db5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A314624\setup.exe
MD5
a2d047194323f716100411294027e993

SHA1
f79f3cf50ca383033a10a5b3d9a56b2788152700

SHA256
90159447ec903913bd2834dd724f67b0f92d2e927af81c6eb1a40ecece634c2c

SHA512
119cdc2dbe861c5a3b3bf87a77424a2e1dc7f0eb2b1c0597cb8b560d2b8d3e72e029b402433769d6081b8d8d4a72594223a71314afbdda344d442d69ba95db5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D795E14\setup-stub.exe
MD5
70db8c3ea5cc700f3ed6b0c116cd89bb

SHA1
da504ff87fe32060f7319040449b4fdeff914280

SHA256
8f53fcf56d310d1a5d6ee22093231187ab9a12e1d76a04a99202adf233f675b3

SHA512
9c59085fbcccd8da3615b7f54e18341357d1e0dd05c5807da3390987ce5391b1d0234857bca108827a438d93b9297e1c4812ca26771a5ee3634beed257cba4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D795E14\setup-stub.exe
MD5
70db8c3ea5cc700f3ed6b0c116cd89bb

SHA1
da504ff87fe32060f7319040449b4fdeff914280

SHA256
8f53fcf56d310d1a5d6ee22093231187ab9a12e1d76a04a99202adf233f675b3

SHA512
9c59085fbcccd8da3615b7f54e18341357d1e0dd05c5807da3390987ce5391b1d0234857bca108827a438d93b9297e1c4812ca26771a5ee3634beed257cba4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\config.ini
MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe
MD5
139755618e137b91958e294aa9968595

SHA1
56f413961282e64dbb9b4978900c4a2a54a7f9df

SHA256
9f76606a985a4356bce057cc899f9cc74b5f20119fd4554482a1f1e50631ca6c

SHA512
9c316fed3aa03545a22648da61a716e8471bc5e9bbf98483e785eaa515a69c771348803cf68d14e42bb65a8709ed615e0145c0bac500dd709515aa84d17fcaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe
MD5
139755618e137b91958e294aa9968595

SHA1
56f413961282e64dbb9b4978900c4a2a54a7f9df

SHA256
9f76606a985a4356bce057cc899f9cc74b5f20119fd4554482a1f1e50631ca6c

SHA512
9c316fed3aa03545a22648da61a716e8471bc5e9bbf98483e785eaa515a69c771348803cf68d14e42bb65a8709ed615e0145c0bac500dd709515aa84d17fcaab

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A314624\setup.exe
MD5
a2d047194323f716100411294027e993

SHA1
f79f3cf50ca383033a10a5b3d9a56b2788152700

SHA256
90159447ec903913bd2834dd724f67b0f92d2e927af81c6eb1a40ecece634c2c

SHA512
119cdc2dbe861c5a3b3bf87a77424a2e1dc7f0eb2b1c0597cb8b560d2b8d3e72e029b402433769d6081b8d8d4a72594223a71314afbdda344d442d69ba95db5e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4D795E14\setup-stub.exe
MD5
70db8c3ea5cc700f3ed6b0c116cd89bb

SHA1
da504ff87fe32060f7319040449b4fdeff914280

SHA256
8f53fcf56d310d1a5d6ee22093231187ab9a12e1d76a04a99202adf233f675b3

SHA512
9c59085fbcccd8da3615b7f54e18341357d1e0dd05c5807da3390987ce5391b1d0234857bca108827a438d93b9297e1c4812ca26771a5ee3634beed257cba4f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsc6365.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsc6365.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\CertCheck.dll
MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\InetBgDL.dll
MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\UAC.dll
MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\UserInfo.dll
MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\WebBrowser.dll
MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
\Users\Admin\AppData\Local\Temp\nsi38B.tmp\download.exe
MD5
139755618e137b91958e294aa9968595

SHA1
56f413961282e64dbb9b4978900c4a2a54a7f9df

SHA256
9f76606a985a4356bce057cc899f9cc74b5f20119fd4554482a1f1e50631ca6c

SHA512
9c316fed3aa03545a22648da61a716e8471bc5e9bbf98483e785eaa515a69c771348803cf68d14e42bb65a8709ed615e0145c0bac500dd709515aa84d17fcaab

Download Submit
memory/276-80-0x0000000000000000-mapping.dmp

Download
memory/276-144-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/276-145-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/276-131-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/276-148-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/436-146-0x0000000000000000-mapping.dmp

Download
memory/788-149-0x0000000000000000-mapping.dmp

Download
memory/900-775-0x0000000000000000-mapping.dmp

Download
memory/904-150-0x0000000000000000-mapping.dmp

Download
memory/916-766-0x0000000000000000-mapping.dmp

Download
memory/928-76-0x0000000000000000-mapping.dmp

Download
memory/1316-658-0x0000000000000000-mapping.dmp

Download
memory/1316-726-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/1600-142-0x0000000000000000-mapping.dmp

Download
memory/1620-140-0x0000000000000000-mapping.dmp

Download
memory/1624-136-0x0000000000000000-mapping.dmp

Download
memory/1648-138-0x0000000000000000-mapping.dmp

Download
memory/1672-134-0x0000000000000000-mapping.dmp

Download
memory/1952-133-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download
memory/1952-132-0x0000000000000000-mapping.dmp

Download
memory/1972-61-0x0000000000000000-mapping.dmp

Download
memory/1972-63-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1972-70-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1972-71-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/2056-1068-0x0000000000000000-mapping.dmp

Download
memory/2248-800-0x0000000000000000-mapping.dmp

Download
memory/2248-826-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/2248-830-0x0000000074BA0000-0x0000000074C91000-memory.dmp

Filesize
964KB

Download
memory/2704-870-0x0000000000000000-mapping.dmp

Download