5fb07e12780a0f1d9aee1e687c123fb4ed95c53b51fb232ecc344e960854b4c8

Analysis

max time kernel
104s
max time network
56s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/10/2022, 23:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Firefox Installer.exe
Size

343KB
MD5

7f3d2761da38f9800f13c667982e8162
SHA1

976215f19aa718af0d6e2f858308d1269439cd68
SHA256

5fb07e12780a0f1d9aee1e687c123fb4ed95c53b51fb232ecc344e960854b4c8
SHA512

93f6704424144bbc86a2158ab8496d812e0be79a9d8fe31ca03f07aaea416e8ccf4b59172439a6820c543f134d2dc3ff8602c076bce9c6a6475839b854ba7f2b
SSDEEP

6144:haVWdyzOxeA1DfdwX3MmIOTZfAJZTg8rK1O48/exPUjhWj6rM9nZZIufyTvzMZQZ:hMROxdDfOnMmXVfk7KNUjhWj6Y9ZZIui

Score

8^/10

discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
1960	setup-stub.exe
1480	download.exe
1712	setup.exe
1796	maintenanceservice_installer.exe
1536	maintenanceservice_tmp.exe
596	default-browser-agent.exe
1620	firefox.exe
812	firefox.exe
1056	firefox.exe
1036	firefox.exe
1640	firefox.exe
2068	firefox.exe
2220	firefox.exe
2428	firefox.exe
2472	firefox.exe
2484	firefox.exe
2920	firefox.exe
2268	crashreporter.exe
2312	minidump-analyzer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-67-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x00070000000133d3-73.dat	upx
behavioral1/files/0x00070000000133d3-75.dat	upx
behavioral1/files/0x00070000000133d3-76.dat	upx
behavioral1/memory/1480-78-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
1972	Firefox Installer.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1960	setup-stub.exe
1480	download.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1592	regsvr32.exe
1592	regsvr32.exe
1592	regsvr32.exe
1592	regsvr32.exe
1592	regsvr32.exe
1592	regsvr32.exe
1592	regsvr32.exe
1164	regsvr32.exe
1712	setup.exe
1712	setup.exe
1796	maintenanceservice_installer.exe
1796	maintenanceservice_installer.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
1712	setup.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe
596	default-browser-agent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\breakpadinjector.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsdE237.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsdE23A.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\locale.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\qipcap.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\removed-files	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nst246F.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	setup.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	maintenanceservice_tmp.exe
File created	C:\Program Files\Mozilla Firefox\mozglue.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\postSigningData	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods\ = "5"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\ = "Firefox PDF Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ = "IHandlerControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ = "IGeckoBackChannel"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\DDEEXEC	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications	crashreporter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\crashreporter.exe	crashreporter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Applications\crashreporter.exe\NoOpenWith = "0"	crashreporter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1536	maintenanceservice_tmp.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	firefox.exe
Token: SeDebugPrivilege	812	firefox.exe
Token: SeDebugPrivilege	812	firefox.exe
Token: SeDebugPrivilege	812	firefox.exe
Token: SeDebugPrivilege	812	firefox.exe
Token: SeShutdownPrivilege	812	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1960	setup-stub.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe
812	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
812	firefox.exe
812	firefox.exe
812	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1960	setup-stub.exe
1960	setup-stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1972 wrote to memory of 1960	1972	Firefox Installer.exe	28
PID 1960 wrote to memory of 1480	1960	setup-stub.exe	31
PID 1960 wrote to memory of 1480	1960	setup-stub.exe	31
PID 1960 wrote to memory of 1480	1960	setup-stub.exe	31
PID 1960 wrote to memory of 1480	1960	setup-stub.exe	31
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1480 wrote to memory of 1712	1480	download.exe	32
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1712 wrote to memory of 1192	1712	setup.exe	33
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1192 wrote to memory of 1592	1192	regsvr32.exe	34
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1712 wrote to memory of 1704	1712	setup.exe	35
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1704 wrote to memory of 1164	1704	regsvr32.exe	36
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1712 wrote to memory of 1796	1712	setup.exe	37
PID 1796 wrote to memory of 1536	1796	maintenanceservice_installer.exe	38
PID 1796 wrote to memory of 1536	1796	maintenanceservice_installer.exe	38
PID 1796 wrote to memory of 1536	1796	maintenanceservice_installer.exe	38
PID 1796 wrote to memory of 1536	1796	maintenanceservice_installer.exe	38
PID 1712 wrote to memory of 596	1712	setup.exe	39
PID 1712 wrote to memory of 596	1712	setup.exe	39
PID 1712 wrote to memory of 596	1712	setup.exe	39
PID 1712 wrote to memory of 596	1712	setup.exe	39
PID 1960 wrote to memory of 1620	1960	setup-stub.exe	41
PID 1960 wrote to memory of 1620	1960	setup-stub.exe	41
PID 1960 wrote to memory of 1620	1960	setup-stub.exe	41

C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\7zS4B7460CB\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\config.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\setup.exe
      .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1592
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1164
    - - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
    - - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
    3⤵
    - Executes dropped EXE
    PID:1620
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:812
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.0.81011510\691347121" -parentBuildID 20221025065831 -prefsHandle 1304 -prefMapHandle 1268 -prefsLen 21066 -prefMapSize 233449 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14f50fad-013c-4ea2-85b4-0ff359a22b86} 812 "\\.\pipe\gecko-crash-server-pipe.812" 1332 cd17260 socket
        5⤵
        Executes dropped EXE
        
        PID:1056
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.1.2052770174\99737501" -parentBuildID 20221025065831 -prefsHandle 996 -prefMapHandle 1760 -prefsLen 21202 -prefMapSize 233449 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1342900-6cea-49ea-b4c2-8765ef6f88c5} 812 "\\.\pipe\gecko-crash-server-pipe.812" 1700 101781a0 gpu
        5⤵
        Executes dropped EXE
        
        PID:1036
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.2.1495723200\1200256812" -childID 1 -isForBrowser -prefsHandle 2052 -prefMapHandle 1964 -prefsLen 22479 -prefMapSize 233449 -jsInitHandle 904 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221025065831 -appDir "C:\Program Files\Mozilla Firefox\browser" - {239a7806-a979-4822-885b-db41d4ec1ec7} 812 "\\.\pipe\gecko-crash-server-pipe.812" 1924 11b23280 tab
        5⤵
        Executes dropped EXE
        
        PID:1640
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.3.721383065\442612200" -childID 2 -isForBrowser -prefsHandle 2184 -prefMapHandle 2180 -prefsLen 22479 -prefMapSize 233449 -jsInitHandle 904 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221025065831 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efce76c4-eb28-4eab-8970-b881d38cc3a7} 812 "\\.\pipe\gecko-crash-server-pipe.812" 2196 11b233f0 tab
        5⤵
        Executes dropped EXE
        
        PID:2068
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.4.1569413350\1937884056" -parentBuildID 20221025065831 -prefsHandle 2484 -prefMapHandle 2480 -prefsLen 23549 -prefMapSize 233449 -appDir "C:\Program Files\Mozilla Firefox\browser" - {551f01a4-fc71-4d0a-89a2-04c07baadf22} 812 "\\.\pipe\gecko-crash-server-pipe.812" 2476 1017a6c0 rdd
        5⤵
        Executes dropped EXE
        
        PID:2220
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.5.318683576\2057216612" -childID 3 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 23723 -prefMapSize 233449 -jsInitHandle 904 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221025065831 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5c94721-4899-4ba4-94a1-6fe5b931585d} 812 "\\.\pipe\gecko-crash-server-pipe.812" 2968 1633d280 tab
        5⤵
        Executes dropped EXE
        
        PID:2428
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.6.331606555\1237450049" -childID 4 -isForBrowser -prefsHandle 2012 -prefMapHandle 1828 -prefsLen 23723 -prefMapSize 233449 -jsInitHandle 904 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221025065831 -appDir "C:\Program Files\Mozilla Firefox\browser" - {028cbdd1-6904-4224-b6cf-edf1abbc5133} 812 "\\.\pipe\gecko-crash-server-pipe.812" 1940 11b23e00 tab
        5⤵
        Executes dropped EXE
        
        PID:2472
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.7.148374627\794958469" -childID 5 -isForBrowser -prefsHandle 1216 -prefMapHandle 1860 -prefsLen 23723 -prefMapSize 233449 -jsInitHandle 904 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221025065831 -appDir "C:\Program Files\Mozilla Firefox\browser" - {876dc40c-e6b6-4670-adc3-fcc94ed4aedf} 812 "\\.\pipe\gecko-crash-server-pipe.812" 1992 11b23280 tab
        5⤵
        Executes dropped EXE
        
        PID:2484
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.8.801083350\1371906866" -childID 6 -isForBrowser -prefsHandle 3716 -prefMapHandle 3656 -prefsLen 29365 -prefMapSize 233449 -jsInitHandle 904 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221025065831 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e88c2535-b0c1-4c42-bd16-1e0da707d27f} 812 "\\.\pipe\gecko-crash-server-pipe.812" 3732 1633d9b0 tab
        5⤵
        Executes dropped EXE
        
        PID:2920
    - - C:\Program Files\Mozilla Firefox\crashreporter.exe
        
        "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\minidumps\31180f73-0a32-4cde-ba72-34f186763273.dmp"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
      - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
        
        "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8by27av1.default-release\minidumps\31180f73-0a32-4cde-ba72-34f186763273.dmp"
        6⤵
        Executes dropped EXE
        
        PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4B7460CB\setup-stub.exe

Filesize
552KB

MD5
caf789710e5c50f9c0f77d5d4a84fe9a

SHA1
e4de579620a39d93341d86558a90cf71982bc3b6

SHA256
15b7390705449b23182374dc1284b3028b1eb95e45784774baefa7e1ea80cc3d

SHA512
e7cbcaa4467620dec7ce40d6ef800b0a75e384eab16db08379196aa9464115cbfbc81f77f09c886f2fa11010c459682b2da78a6c847389dfe411f679d30397a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B7460CB\setup-stub.exe

Filesize
552KB

MD5
caf789710e5c50f9c0f77d5d4a84fe9a

SHA1
e4de579620a39d93341d86558a90cf71982bc3b6

SHA256
15b7390705449b23182374dc1284b3028b1eb95e45784774baefa7e1ea80cc3d

SHA512
e7cbcaa4467620dec7ce40d6ef800b0a75e384eab16db08379196aa9464115cbfbc81f77f09c886f2fa11010c459682b2da78a6c847389dfe411f679d30397a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\Accessible.tlb

Filesize
2KB

MD5
e49aeb412aab7c49a27e6feaa0ca40ce

SHA1
6a2f6ea9facc48a3f736e03fda2c1ce44b744af3

SHA256
754fd922f8c93b66f723c30d39083a6a1fe33fa4b6439d55ad2459be40c3151e

SHA512
8c3f957d032fa8edb523cd3f473a57e2cc020c9e6e33aea183cad8b435777660f4c7e87ba62c67bbb1aef726d109f0f34b2d86c159ca9bd98bfad43c89af7ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\AccessibleHandler.dll

Filesize
159KB

MD5
40b067a997bebb00b219698808c0aef3

SHA1
463090f0024734a3c6c47abbfd11a8bc644c80a2

SHA256
bd2b1cc79109c0633fc10cc70ca81505a9166aa98eb4e258fb2f1f8065051bef

SHA512
170e0d0e9e25c5947a948b04e334583567dba3d08dad134810c71c6b8e42414bb8e53b426aaa74b5beaa96a4ed36d344e45ce02b78a3299341b707ad9bf495e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\AccessibleMarshal.dll

Filesize
30KB

MD5
bee0f561b11dc78ea0769d8c3afafe48

SHA1
a7877ec2ca30840daea5a6d230035998341b242f

SHA256
72768cabbbe365508b2ca5d380e55074e5f2219045855c18c437743f6a2992cd

SHA512
27c12c8fed6e586a70bcd3c25f96aedbc596c030a0a3d904d5e424946e19cbd2e0e72ae8a692adaea8336d865669a5b3a5fda3bf1e7b53a477e8ac8932e0ae4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\IA2Marshal.dll

Filesize
74KB

MD5
0874e316dc4adbb7c4b230c040609945

SHA1
cec12cb8e25f1eba6c04c95cc28d47a4e4101405

SHA256
db3f562e2bc2f734c2de07cdedd29bcab7227564eb00d855d4b86c315dbc497c

SHA512
27dc7663ea3f8a283325a7f2d061880e562ce89c526bb7203fdb18d5c99cbf15e73ccad4c60dc993607c3b6f8745a604b30ea009f494698679448d56b65cb9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-core-file-l1-2-0.dll

Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-core-file-l2-1-0.dll

Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-conio-l1-1-0.dll

Filesize
18KB

MD5
a668c5ee307457729203ae00edebb6b3

SHA1
2114d84cf3ec576785ebbe6b2184b0d634b86d71

SHA256
a95b1af74623d6d5d892760166b9bfac8926929571301921f1e62458e6d1a503

SHA512
73dc1a1c2ceb98ca6d9ddc7611fc44753184be00cfba07c4947d675f0b154a09e6013e1ef54ac7576e661fc51b4bc54fdd96a0c046ab4ee58282e711b1854730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
9ddea3cc96e0fdd3443cc60d649931b3

SHA1
af3cb7036318a8427f20b8561079e279119dca0e

SHA256
b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5

SHA512
1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
39325e5f023eb564c87d30f7e06dff23

SHA1
03dd79a7fbe3de1a29359b94ba2d554776bdd3fe

SHA256
56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a

SHA512
087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
228c6bbe1bce84315e4927392a3baee5

SHA1
ba274aa567ad1ec663a2f9284af2e3cb232698fb

SHA256
ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065

SHA512
37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
1776a2b85378b27825cf5e5a3a132d9a

SHA1
626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df

SHA256
675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee

SHA512
541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
034379bcea45eb99db8cdfeacbc5e281

SHA1
bbf93d82e7e306e827efeb9612e8eab2b760e2b7

SHA256
8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65

SHA512
7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8da414c3524a869e5679c0678d1640c1

SHA1
60cf28792c68e9894878c31b323e68feb4676865

SHA256
39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672

SHA512
6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
19d7f2d6424c98c45702489a375d9e17

SHA1
310bc4ed49492383e7c669ac9145bda2956c7564

SHA256
a6b83b764555d517216e0e34c4945f7a7501c1b7a25308d8f85551fe353f9c15

SHA512
01c09edef90c60c9e6cdabff918f15afc9b728d6671947898ce8848e3d102f300f3fb4246af0ac9c6f57b3b85b24832d7b40452358636125b61eb89567d3b17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-private-l1-1-0.dll

Filesize
71KB

MD5
3d139f57ed79d2c788e422ca26950446

SHA1
788e4fb5d1f46b0f1802761d0ae3addb8611c238

SHA256
dc25a882ac454a0071e4815b0e939dc161ba73b5c207b84afd96203c343b99c7

SHA512
12ed9216f44aa5f245c707fe39aed08dc18ea675f5a707098f1a1da42b348a649846bc919fd318de7954ea9097c01f22be76a5d85d664ef030381e7759840765

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-process-l1-1-0.dll

Filesize
18KB

MD5
9d3d6f938c8672a12aea03f85d5330de

SHA1
6a7d6e84527eaf54d6f78dd1a5f20503e766a66c

SHA256
707c9a384440d0b2d067fc0335273f8851b02c3114842e17df9c54127910d7fb

SHA512
0e1681b16cd9af116bcc5c6b4284c1203b33febb197d1d4ab8a649962c0e807af9258bde91c86727910624196948e976741411843dd841616337ea93a27de7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
fb0ca6cbfff46be87ad729a1c4fde138

SHA1
2c302d1c535d5c40f31c3a75393118b40e1b2af9

SHA256
1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df

SHA512
99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
d5166ab3034f0e1aa679bfa1907e5844

SHA1
851dd640cb34177c43b5f47b218a686c09fa6b4c

SHA256
7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5

SHA512
8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-string-l1-1-0.dll

Filesize
23KB

MD5
ad99c2362f64cde7756b16f9a016a60f

SHA1
07c9a78ee658bfa81db61dab039cffc9145cc6cb

SHA256
73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa

SHA512
9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
9b79fda359a269c63dcac69b2c81caa4

SHA1
a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb

SHA256
4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138

SHA512
e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
70e9104e743069b573ca12a3cd87ec33

SHA1
4290755b6a49212b2e969200e7a088d1713b84a2

SHA256
7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95

SHA512
e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\application.ini

Filesize
899B

MD5
80b5b548385232e2fa2835a3955f7b47

SHA1
d9235f909d57e5dda4b843eee19dbdffa2a32d5c

SHA256
fdaabc81ef22b835d3c929573ba2c321d3206b90fb2a536e4d91ede89dc96e53

SHA512
43e22a09642990821b5bbff041b2a6fa20ef9ddd913b9b6173f20e726c26dad77056cd7ff01c215b126be30e2bc95f086d58a90f600581f02ae80343a27ff095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\breakpadinjector.dll

Filesize
123KB

MD5
08181bd16e5d7fff3f961da634bb4060

SHA1
7b926beeb2cee221cfb008d080bbbee49d5d98a0

SHA256
727a546805e1e7c2c2d54f9c0ba9aa23eb5b5b79dad02b65108a7091b0cb7425

SHA512
05511da13eab0e7fb4067ffc3f47d5c3df43aea6db100fc58159e8681cf812e4b4b36cb54615b50c75f826f8797d1b703cbfb1534a726b3e638add5de7f66705

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\crashreporter.exe

Filesize
238KB

MD5
18d1cc22916c75cfb8b6c1935e6b7e80

SHA1
7eea188fff2b20702580ac5f1c0e721990cb4424

SHA256
7b6541d0365ec8ddb66796251a73636f48409ecafb9fd39f029e5cbbb0ca056d

SHA512
60e1af8fc43885379d0052effe27b5b1f0be6e1830d4a048a145d71427b83decc4bb48b2966c7b94496599312b08b746e54a10922113f7e72eddf079e2726e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\crashreporter.ini

Filesize
3KB

MD5
1b0d446f9d17c1374c81acec9d8d2406

SHA1
016bca3d4ee9a0dbb4350ee7a1898779dced6c11

SHA256
a0cc8cc3287d54d7e23a156256a553792970df9ca57f6ad85dceed32b979da71

SHA512
4e7de92579628cf8c31287506d6f3096bb15402ee6d694a72462cbd1f093e7d04cbcc9e13691b94408091e0c5ea8d8c528365a90885b55a126416af37be6979a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\d3dcompiler_47.dll

Filesize
3.5MB

MD5
587a415cd5ac2069813adef5f7685021

SHA1
ca0e2fe1922b3cdc9e96e636a73e5c85a838e863

SHA256
2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851

SHA512
0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\default-browser-agent.exe

Filesize
651KB

MD5
b7f1d6f4400e30b892c302f09006febc

SHA1
661693690361cdb12e3fda382c20196bd2dc6f46

SHA256
1433fbe5ba45326ccc4993c8b5b0a1aafac58009a4178e446ef184af14a942dd

SHA512
f8f33bd1edd51696d3497f878899ba52ea6d3c57902d45af5f71925d3b02e4be7c7dedb979fea3d18cf66871495ddcf05c8048316f97ca607efd62bd63bff9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\defaultagent.ini

Filesize
932B

MD5
88d7d32ad20bf89bb7785bd07c638e17

SHA1
2bd40f0b69c2edc64ab6b7e6dd2e7ca6a6fea6f6

SHA256
5cf0660a8f2624433c8c1022f93ff3c94c5611ccbc93118ee053566590eb53f4

SHA512
7bb3328ce42e7bb546a2192ade1e8e153408912f3582c27dc0c5cbe1c2d807365aaf4206c3ceab6cb3d6c34d3155125cb7509dbf800ecf70ab35f8a64f764010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\defaultagent_localized.ini

Filesize
1022B

MD5
dfa56f0760554fa9708e45248e6c576c

SHA1
f0976a4141e3dc15ba0ff9db6045b9dfbd2668e0

SHA256
8aa7e80abf76d1e81205a10d92373ef1029778b9ae9c15dd3ba758aa26e84d88

SHA512
ccc252daf5345da69530cf03da15c7634b89cc4fefaedfed5cf96f90c15f780f323f5c1155bddf2a4b0577a59404601ca5776ca9f0cfbfcf6cd91e5453cb6a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\dependentlibs.list

Filesize
446B

MD5
c35d2da6df0f7abb4d0bd534c5d5b6b0

SHA1
a4da4ca15d97746796412c2bad3fc8fbea716869

SHA256
ce638d544efe50176888e17bfbf78f118dc733ce5c2fee2eb66436ba96341345

SHA512
d27f58fb344b2303db2f4a48a153c9f11eec1663020ba8b5b973fd001c4a8c27c11e29a54b6d1913888b4ddf376aa7f45c8218378abe39a64ebdae4feb6b25cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\firefox.VisualElementsManifest.xml

Filesize
557B

MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\firefox.exe

Filesize
578KB

MD5
ab7229d2a10039c2713b43976f326626

SHA1
06076b1abb95915d0015b01d08540777dcd40fb2

SHA256
4faa2de2523b086216c85167be28971f25a34d7f78e2d8f757c170f33dd72803

SHA512
1e9cb73d294609f6f0e4f97952a90a263cdf1145e7d736892066e565be3a952126e3049819dfda1b2998e620afe81c9dd3d587edef6dd5788f73ffa572c4246e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\firefox.exe.sig

Filesize
1KB

MD5
e9ac791c02b0f422aa1fd1ef26d90622

SHA1
047ef9d981ee09e4ce15a180734d3c57d883b1c6

SHA256
32e2d0220201bc4ed62e6eeca95207c8fc088b4eb973602347aa6bdc39e75f46

SHA512
9ad9443fdf22cd901b32c899fb8a022f006423f440521e1aab353027418ff4dc43ba9b6af487673841285b6ff82d1336d27db464feac12d35dcd170af2e9f132

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\freebl3.dll

Filesize
669KB

MD5
cc80855a4776b90e9bc228a8df94908a

SHA1
1a04d21ca1afd72c3b18cc69f4649126d2c193e6

SHA256
8a5c17cda3a73d42b2bb052440d0ab758c606921acddb16bb4c11d32fccddaba

SHA512
69f230b7d5d4f431be06cf72fa12555fe46d99f5742616316a648777269f3037142c97dc2427d9fd7860b178ca3c024fdc7d4dd6e6c278fccba43de6cb95b2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\ipcclientcerts.dll

Filesize
191KB

MD5
86698febdcf3d7de31cd9ad674af8bfc

SHA1
6ca4554e8098b4f365e10da2f3121c94cf3257d7

SHA256
d9510e2a62a29f4096af2ce449a34bd829061ea782c042fa92017d26f544f8da

SHA512
1f20abee7c14bcd61fe3b5a1486db13ea8cf5920087fdd0b46b5d2d60d215a83d3c79b2a1e8c41a4962df3e52c8214b1a5a64521806331f59cb95084ea3274bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\lgpllibs.dll

Filesize
37KB

MD5
27fa3f610adc7d91f7dc9656d2afc8c0

SHA1
82f503fea7f3a5a2e6d182d87228eb3dc06c53dc

SHA256
ae56608b81a36f4e434b2a36dc33c7973d78a852a8f4de1d4ad9774c854aabcb

SHA512
19bc0cf64c20566976fdc8ce3af92c5bf1ee40a3832ef8104c1b80af7db77f4a573e1894c8d7e8bcfd6b5074bc37b08193a497f497e7828b1953976b5288140c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\libEGL.dll

Filesize
36KB

MD5
054a9b326908ce2f851173caa219f853

SHA1
10e58ea82ecb9464c199801ba513bfd278e02cf1

SHA256
bf9398bdca666ef4e7cabfb664a2a72a5595ca93e0350c9129ca9840c3101385

SHA512
a1632496bba0a64873784ad3c26b5760e9a51cbca32720a07db5dd3545a877c764f63d046bc45f3a20427f55faaea8a91a7dda231ac54af0f4424c78e62f8266

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\libGLESv2.dll

Filesize
3.7MB

MD5
aeff1190f6bc3beee2ec7bb63ffc6985

SHA1
74679ff8e585c71eb9edd55d0533e4155a6946f3

SHA256
e7e4b31d3c7ed2c042ef739144b2c47f7e168e0c03f37db7127b8f75ca11407b

SHA512
aadc07ce4d352c68021da668cf816bdb86418bc987281d279d5c4c714a51023330430129a7dd8ae4fb28b52dd2899bf4a051f543e6931aaa94e16a844be2ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\locale.ini

Filesize
22B

MD5
bad74b155b8731bfddb8d54cbd1b0021

SHA1
5a4d8b98ae81f75e362d510713e05022be64c60b

SHA256
a4a030b6f430548e5bba3cfc748515d40b72c522a1345957df4ed5f88736013c

SHA512
ebfab2f589390553bd93c1299db8b7a7bfb8b1ac9ac5ce3c2c8d478c79ef8b93d6193f9e739e94f662dfc026cd49b04a8f2fe3ed82dd4bd191d1cf34e1e4501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\core\maintenanceservice.exe

Filesize
206KB

MD5
ed2792f3616ea265f7126cc82d45a9ec

SHA1
10f3cf036484a04c00aa9b051b9214433f9edb43

SHA256
ce9d1989f31b46a736c4cc2e3ca20a2fe852caf200c435dee7e0cc2fd330a189

SHA512
f9ff3a6113ff15f0b05d1205c87f5d308b2d378dbc71b2a2fd9653008eb4389ac96080c71fef16b09f95441f8af86e66f42ec0e4fa82b7712cc048e90de10c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\setup.exe

Filesize
926KB

MD5
cd31397159e8f3e369788bdcc4995054

SHA1
f9e68f6f19e565bae19abfb8a2f5cab504cc2da4

SHA256
40ca00c2cfc12bc51cb0cb3d415503ddacc82f2c44deb1410c76b07addcd2be0

SHA512
8a562ed4b17f4ee46cf223f1f7b7480b589714720209a7f5cdf91e56fc2ff2ae62a1dc5067e327e425d92a8a97face623f9c3751b5435d839bc590ed6513071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C59952C\setup.exe

Filesize
926KB

MD5
cd31397159e8f3e369788bdcc4995054

SHA1
f9e68f6f19e565bae19abfb8a2f5cab504cc2da4

SHA256
40ca00c2cfc12bc51cb0cb3d415503ddacc82f2c44deb1410c76b07addcd2be0

SHA512
8a562ed4b17f4ee46cf223f1f7b7480b589714720209a7f5cdf91e56fc2ff2ae62a1dc5067e327e425d92a8a97face623f9c3751b5435d839bc590ed6513071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\config.ini

Filesize
187B

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\download.exe

Filesize
52.7MB

MD5
ab7421381c1415875c385519a34b5742

SHA1
c8c94d52adbe23b48d477cc1be466066322cc9df

SHA256
7cd7d617b2d49f4cc5191fb778dcf363a8f647da9263d726a21d24f6e7bb98b6

SHA512
bb0b0cb0f1d1fbb5e2ddf439fafe70ef657b039da2bc71fc492c7d65998dd8bf22f325bf08a1ac284ee4529186d4126c03667b93d552566cf157a5a5db56d476

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\download.exe

Filesize
52.7MB

MD5
ab7421381c1415875c385519a34b5742

SHA1
c8c94d52adbe23b48d477cc1be466066322cc9df

SHA256
7cd7d617b2d49f4cc5191fb778dcf363a8f647da9263d726a21d24f6e7bb98b6

SHA512
bb0b0cb0f1d1fbb5e2ddf439fafe70ef657b039da2bc71fc492c7d65998dd8bf22f325bf08a1ac284ee4529186d4126c03667b93d552566cf157a5a5db56d476

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4B7460CB\setup-stub.exe

Filesize
552KB

MD5
caf789710e5c50f9c0f77d5d4a84fe9a

SHA1
e4de579620a39d93341d86558a90cf71982bc3b6

SHA256
15b7390705449b23182374dc1284b3028b1eb95e45784774baefa7e1ea80cc3d

SHA512
e7cbcaa4467620dec7ce40d6ef800b0a75e384eab16db08379196aa9464115cbfbc81f77f09c886f2fa11010c459682b2da78a6c847389dfe411f679d30397a4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C59952C\setup.exe

Filesize
926KB

MD5
cd31397159e8f3e369788bdcc4995054

SHA1
f9e68f6f19e565bae19abfb8a2f5cab504cc2da4

SHA256
40ca00c2cfc12bc51cb0cb3d415503ddacc82f2c44deb1410c76b07addcd2be0

SHA512
8a562ed4b17f4ee46cf223f1f7b7480b589714720209a7f5cdf91e56fc2ff2ae62a1dc5067e327e425d92a8a97face623f9c3751b5435d839bc590ed6513071b

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\CertCheck.dll

Filesize
15KB

MD5
aed814f87d862cb5ceb00fd0a6d60fb8

SHA1
097418e9181e6b4d95f40410cd4dd962fe27c41b

SHA256
d56e2407b6050d669e94e452f1a54ee1859a1751179a3f1e2b4253305a23a0cf

SHA512
69593e12efe0736ada5a9e1b6f3c238a6434b88068361dfd2f7bb3e50addbf9b56ccaee30321362ce085ea700fbab03bae8494bba8c72e9e9983d3faa569b3d2

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\InetBgDL.dll

Filesize
17KB

MD5
97c607f5d0add72295f8d0f27b448037

SHA1
dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c

SHA256
dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5

SHA512
ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1F8.tmp\download.exe

Filesize
52.7MB

MD5
ab7421381c1415875c385519a34b5742

SHA1
c8c94d52adbe23b48d477cc1be466066322cc9df

SHA256
7cd7d617b2d49f4cc5191fb778dcf363a8f647da9263d726a21d24f6e7bb98b6

SHA512
bb0b0cb0f1d1fbb5e2ddf439fafe70ef657b039da2bc71fc492c7d65998dd8bf22f325bf08a1ac284ee4529186d4126c03667b93d552566cf157a5a5db56d476

Download Submit
\Users\Admin\AppData\Local\Temp\nsy60D7.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy60D7.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
memory/1192-132-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1480-78-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1960-64-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1960-139-0x0000000006480000-0x00000000064C6000-memory.dmp

Filesize
280KB

Download
memory/1960-77-0x0000000006480000-0x00000000064C6000-memory.dmp

Filesize
280KB

Download
memory/1960-57-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1972-67-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download