fatalrat | 31f15864c8e234405ce72067c73557dac90c8f38a0b396966210f807385590ab

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firefox-Setup.msi
Size

6.1MB
MD5

d739d27f7b5f589efbd674b36a550f96
SHA1

97408f933772312614f82cbaeedd8fcd1a136f04
SHA256

31f15864c8e234405ce72067c73557dac90c8f38a0b396966210f807385590ab
SHA512

0bd748085318b70280e50ee4db091ae24a301fc701a16f5963d7dbda8121eaa1cfba1fa0d3f6ac77873d7d668a8cd5601bd5cbc1aa250b6827440e273a59b516
SSDEEP

98304:10Zn7K+AOFnWnnuxTBzZOqUDtOjYgvM2BgwmSSjnduYRFhEvBA6D4BAX1fPQ:1WxLVNZONm0fwXVY1Evic4BAX1fPQ

Score

10^/10

fatalrat discovery evasion infostealer rat spyware stealer trojan upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/672-136-0x0000000000440000-0x000000000046A000-memory.dmp	fatalrat
behavioral1/memory/1924-162-0x0000000000600000-0x000000000062A000-memory.dmp	fatalrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1120	msiexec.exe
13	960	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
1824	MSIC805.tmp
1468	MSIC815.tmp
556	Firefox.exe
672	helpost.exe
1980	setup-stub.exe
1924	helpost.exe
1360	download.exe
644	setup.exe
968	maintenanceservice_installer.exe
1648	maintenanceservice_tmp.exe
964	default-browser-agent.exe
1504	firefox.exe
1520	firefox.exe
964	firefox.exe
2288	firefox.exe
2424	firefox.exe
2552	firefox.exe
2680	firefox.exe
2892	firefox.exe
2900	firefox.exe
2988	firefox.exe
2080	firefox.exe
2444	firefox.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013a0e-92.dat	upx
behavioral1/files/0x0007000000013a0e-93.dat	upx
behavioral1/memory/556-103-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1360-172-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
1796	MsiExec.exe
1796	MsiExec.exe
960	MsiExec.exe
672	helpost.exe
672	helpost.exe
556	Firefox.exe
672	helpost.exe
672	helpost.exe
672	helpost.exe
672	helpost.exe
672	helpost.exe
672	helpost.exe
1980	setup-stub.exe
1980	setup-stub.exe
1980	setup-stub.exe
1980	setup-stub.exe
1980	setup-stub.exe
1980	setup-stub.exe
672	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1980	setup-stub.exe
1980	setup-stub.exe
1980	setup-stub.exe
1360	download.exe
644	setup.exe
644	setup.exe
644	setup.exe
560	regsvr32.exe
560	regsvr32.exe
560	regsvr32.exe
560	regsvr32.exe
560	regsvr32.exe
560	regsvr32.exe
560	regsvr32.exe
1500	regsvr32.exe
644	setup.exe
644	setup.exe
968	maintenanceservice_installer.exe
968	maintenanceservice_installer.exe
644	setup.exe
644	setup.exe
644	setup.exe
644	setup.exe
644	setup.exe
644	setup.exe
644	setup.exe
644	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\removed-files	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\softokn3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsyD05E.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	setup.exe
File created	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup.exe
File created	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsjD04E.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\omni.ja	setup.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	maintenanceservice_installer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\application.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC815.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC1A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC282.tmp	msiexec.exe
File created	C:\Windows\Installer\6cb0db.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB93A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC448.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC515.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC69C.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB551.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB68B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cb0db.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC816.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC805.tmp	msiexec.exe
File created	C:\Windows\Installer\6cb0d9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cb0d9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC119.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB33E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC437.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	helpost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	helpost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\FriendlyTypeName = "Firefox HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\EditFlags = "2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\FriendlyTypeName = "Firefox URL"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ = "IGeckoBackChannel"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\ = "Firefox PDF Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\URL Protocol	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\ = "Firefox URL"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\DDEEXEC	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
960	MsiExec.exe
1120	msiexec.exe
1120	msiexec.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1924	helpost.exe
1648	maintenanceservice_tmp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeSecurityPrivilege	1120	msiexec.exe
Token: SeCreateTokenPrivilege	1736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1736	msiexec.exe
Token: SeLockMemoryPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeMachineAccountPrivilege	1736	msiexec.exe
Token: SeTcbPrivilege	1736	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeLoadDriverPrivilege	1736	msiexec.exe
Token: SeSystemProfilePrivilege	1736	msiexec.exe
Token: SeSystemtimePrivilege	1736	msiexec.exe
Token: SeProfSingleProcessPrivilege	1736	msiexec.exe
Token: SeIncBasePriorityPrivilege	1736	msiexec.exe
Token: SeCreatePagefilePrivilege	1736	msiexec.exe
Token: SeCreatePermanentPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeDebugPrivilege	1736	msiexec.exe
Token: SeAuditPrivilege	1736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1736	msiexec.exe
Token: SeChangeNotifyPrivilege	1736	msiexec.exe
Token: SeRemoteShutdownPrivilege	1736	msiexec.exe
Token: SeUndockPrivilege	1736	msiexec.exe
Token: SeSyncAgentPrivilege	1736	msiexec.exe
Token: SeEnableDelegationPrivilege	1736	msiexec.exe
Token: SeManageVolumePrivilege	1736	msiexec.exe
Token: SeImpersonatePrivilege	1736	msiexec.exe
Token: SeCreateGlobalPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	1448	vssvc.exe
Token: SeRestorePrivilege	1448	vssvc.exe
Token: SeAuditPrivilege	1448	vssvc.exe
Token: SeBackupPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1596	DrvInst.exe
Token: SeLoadDriverPrivilege	1596	DrvInst.exe
Token: SeLoadDriverPrivilege	1596	DrvInst.exe
Token: SeLoadDriverPrivilege	1596	DrvInst.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe
Token: SeTakeOwnershipPrivilege	1120	msiexec.exe
Token: SeRestorePrivilege	1120	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1736	msiexec.exe
1980	setup-stub.exe
1736	msiexec.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	setup-stub.exe
1980	setup-stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 960	1120	msiexec.exe	31
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1796	1120	msiexec.exe	32
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 1120 wrote to memory of 1824	1120	msiexec.exe	33
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 1120 wrote to memory of 1468	1120	msiexec.exe	34
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 556 wrote to memory of 1980	556	Firefox.exe	37
PID 672 wrote to memory of 1924	672	helpost.exe	38
PID 672 wrote to memory of 1924	672	helpost.exe	38
PID 672 wrote to memory of 1924	672	helpost.exe	38
PID 672 wrote to memory of 1924	672	helpost.exe	38
PID 1980 wrote to memory of 1360	1980	setup-stub.exe	42
PID 1980 wrote to memory of 1360	1980	setup-stub.exe	42
PID 1980 wrote to memory of 1360	1980	setup-stub.exe	42
PID 1980 wrote to memory of 1360	1980	setup-stub.exe	42
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 1360 wrote to memory of 644	1360	download.exe	43
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 644 wrote to memory of 1688	644	setup.exe	44
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45
PID 1688 wrote to memory of 560	1688	regsvr32.exe	45

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Firefox-Setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A881A55E9EA48E89DCA1ADAA0EDBC124
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5F5E867443F3A7276DD7A38546530E52 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1796
- C:\Windows\Installer\MSIC805.tmp
  "C:\Windows\Installer\MSIC805.tmp" /DontWait "C:\ProgramData\Progptp\helpost.exe"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\Installer\MSIC815.tmp
  "C:\Windows\Installer\MSIC815.tmp" /DontWait "C:\Program Files (x86)\Common Files\Firefox.exe"
  2⤵
  - Executes dropped EXE
  PID:1468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000564" "00000000000004A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files (x86)\Common Files\Firefox.exe
"C:\Program Files (x86)\Common Files\Firefox.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\7zSC2213FCC\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\config.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\7zS0559973D\setup.exe
      .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:560
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        5⤵
        
        PID:1072
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1500
    - - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:968
      - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
    - - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        5⤵
        Executes dropped EXE
        
        PID:964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
    3⤵
    - Executes dropped EXE
    PID:1504
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1520
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.0.1412647616\575577244" -parentBuildID 20221215175817 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 21569 -prefMapSize 232830 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aa445fb-872b-440c-914f-ac17665bcad3} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1260 da2cc20 socket
        5⤵
        Executes dropped EXE
        
        PID:964
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.1.502540253\1803342" -parentBuildID 20221215175817 -prefsHandle 1584 -prefMapHandle 1136 -prefsLen 21705 -prefMapSize 232830 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d190e557-5f94-45db-8be7-3ad4e4a0b806} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1404 10c3f360 gpu
        5⤵
        Executes dropped EXE
        
        PID:2288
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.2.2119709382\1965511898" -childID 1 -isForBrowser -prefsHandle 1420 -prefMapHandle 1648 -prefsLen 23025 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9457c691-c81b-4709-a332-9f20ef0c1abb} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1924 119e4280 tab
        5⤵
        Executes dropped EXE
        
        PID:2424
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.3.472519615\978785358" -childID 2 -isForBrowser -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 23025 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f704c35f-b2b5-4fae-8ad1-9f3db87a7fdb} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2156 119e43f0 tab
        5⤵
        Executes dropped EXE
        
        PID:2552
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.4.450324772\1261256122" -parentBuildID 20221215175817 -prefsHandle 2604 -prefMapHandle 2600 -prefsLen 24095 -prefMapSize 232830 -appDir "C:\Program Files\Mozilla Firefox\browser" - {469c993d-7239-4d3e-8f05-777beb1e6647} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2616 10c3dd70 rdd
        5⤵
        Executes dropped EXE
        
        PID:2680
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.5.320922522\1057993457" -childID 3 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 24306 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36a1a0b3-d64b-4575-9f0c-57a7dc232a3a} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2972 16ad56d0 tab
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2892
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.6.1298214904\1587161947" -childID 4 -isForBrowser -prefsHandle 3080 -prefMapHandle 3084 -prefsLen 24306 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e1b550-8c72-4856-8989-9df921b582ff} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3060 16ad5560 tab
        5⤵
        Executes dropped EXE
        
        PID:2900
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.7.1111883679\669456619" -childID 5 -isForBrowser -prefsHandle 3264 -prefMapHandle 3272 -prefsLen 24306 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7a52e74-2227-4042-9621-33e61906a694} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3244 119e4280 tab
        5⤵
        Executes dropped EXE
        
        PID:2988
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.8.2101405174\220628992" -childID 6 -isForBrowser -prefsHandle 1672 -prefMapHandle 2948 -prefsLen 24506 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a76940a-0814-4388-9592-7baa8fa7817f} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1452 16ad5c90 tab
        5⤵
        Executes dropped EXE
        
        PID:2080
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.9.1275158273\1227541683" -childID 7 -isForBrowser -prefsHandle 4380 -prefMapHandle 4364 -prefsLen 30093 -prefMapSize 232830 -jsInitHandle 852 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20221215175817 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34b9bfe7-7850-43e0-b72e-73963c7d1267} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4412 1c9bd6d0 tab
        5⤵
        Executes dropped EXE
        
        PID:2444

C:\ProgramData\Progptp\helpost.exe
"C:\ProgramData\Progptp\helpost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\helpost.exe
  "C:\Users\Admin\AppData\Local\helpost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Firefox.exe

Filesize
341KB

MD5
2a361bf798d8542833bc727e83fade01

SHA1
1ca1a267a75a6766925d9567cd7d599c988ff16e

SHA256
d7014058a456294057737ff0770aeb46cc03c0b63eb0067b220e62a9ecebe325

SHA512
6cedf7663918c62a8fecbbbc3e49f355bcb96f971b296182867898d57f0f17f2a4635fc1b8cab434c9e2af266c25109b734e3d79f01c02095550c698eeadad6d

Download Submit
C:\Program Files (x86)\Common Files\Firefox.exe

Filesize
341KB

MD5
2a361bf798d8542833bc727e83fade01

SHA1
1ca1a267a75a6766925d9567cd7d599c988ff16e

SHA256
d7014058a456294057737ff0770aeb46cc03c0b63eb0067b220e62a9ecebe325

SHA512
6cedf7663918c62a8fecbbbc3e49f355bcb96f971b296182867898d57f0f17f2a4635fc1b8cab434c9e2af266c25109b734e3d79f01c02095550c698eeadad6d

Download Submit
C:\ProgramData\Progptp\Lixbsfa.DLL

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
C:\ProgramData\Progptp\Micr.jpg

Filesize
199KB

MD5
a76aeebf2a00b69d2daf436ed107bbb0

SHA1
c5b166dac1859cda5be28b6db091bbb38693d3ce

SHA256
00bb88da5e7c6448abe14ccc7108c49dd60af8dde74171f1b727a42ed78073c9

SHA512
35f53bcdf82778eb5ae1dc43a31beafa8dbe7b384b919fe0bb1c38ac5db54e06b4270fa5885319f0afda6fe0fd04b147539647120f47a7442fe7468406f4288d

Download Submit
C:\ProgramData\Progptp\XLFSIO.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
C:\ProgramData\Progptp\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
C:\ProgramData\Progptp\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
C:\ProgramData\Progptp\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
C:\ProgramData\Progptp\helpost.exe

Filesize
226KB

MD5
d076a0cdef6ecf4f7354b57a28352e9e

SHA1
2d3f17f70dcf1bf6ee2f95d29900ece6a57e4dd5

SHA256
275e5b578be6f7e0ce4b7bbe0f2b7cfdef9058508b9ac8cac82ed324f0ae7646

SHA512
a2107068d26c6822b0ec1bc726fa8aec0a448d94c7bdd3666d6d62870adc90b2cff428085e6369908da5c1a3bb54d58dfeca2a59a0e5d13ef853a72f16ffdc86

Download Submit
C:\ProgramData\Progptp\helpost.exe

Filesize
226KB

MD5
d076a0cdef6ecf4f7354b57a28352e9e

SHA1
2d3f17f70dcf1bf6ee2f95d29900ece6a57e4dd5

SHA256
275e5b578be6f7e0ce4b7bbe0f2b7cfdef9058508b9ac8cac82ed324f0ae7646

SHA512
a2107068d26c6822b0ec1bc726fa8aec0a448d94c7bdd3666d6d62870adc90b2cff428085e6369908da5c1a3bb54d58dfeca2a59a0e5d13ef853a72f16ffdc86

Download Submit
C:\ProgramData\Progptp\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
C:\ProgramData\Progptp\libpng13.dll

Filesize
254KB

MD5
241fba52b2caf4bc3c0e676210e78e42

SHA1
09a660ef1493ae6c0e39f8886b30f338f6929df5

SHA256
8d3f49d69c0492c4d685c8e4e56b742c6229b998dba286a5fc2489aeb379f961

SHA512
30f4d630a99f86e9dae1918096bbffc3e6745627e09f261bd39c07ec31d4b2703a12751cb278a2e2dfe790acaa364af09892d2648b10513fbc58e153c914783b

Download Submit
C:\ProgramData\Progptp\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2213FCC\setup-stub.exe

Filesize
549KB

MD5
04c63e4b810be2eadcba1453a1882f5d

SHA1
9c761c5f27aae2c91bedaf4f4117c123583df348

SHA256
72f090a4fa120ba64acebd6abe370d98e9c7c4cdfaf84b5ecf196eda93a1f321

SHA512
06c92a598f2820939c298459546db65f281a055639a0c0452d9714122d6bb1e292235eec17eadff60ecbd71e787802879df77228e3d8d5301d9f5ebfe5ed78e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC2213FCC\setup-stub.exe

Filesize
549KB

MD5
04c63e4b810be2eadcba1453a1882f5d

SHA1
9c761c5f27aae2c91bedaf4f4117c123583df348

SHA256
72f090a4fa120ba64acebd6abe370d98e9c7c4cdfaf84b5ecf196eda93a1f321

SHA512
06c92a598f2820939c298459546db65f281a055639a0c0452d9714122d6bb1e292235eec17eadff60ecbd71e787802879df77228e3d8d5301d9f5ebfe5ed78e9

Download Submit
C:\Users\Admin\AppData\Local\helpost.exe

Filesize
226KB

MD5
d076a0cdef6ecf4f7354b57a28352e9e

SHA1
2d3f17f70dcf1bf6ee2f95d29900ece6a57e4dd5

SHA256
275e5b578be6f7e0ce4b7bbe0f2b7cfdef9058508b9ac8cac82ed324f0ae7646

SHA512
a2107068d26c6822b0ec1bc726fa8aec0a448d94c7bdd3666d6d62870adc90b2cff428085e6369908da5c1a3bb54d58dfeca2a59a0e5d13ef853a72f16ffdc86

Download Submit
C:\Windows\Installer\MSIB33E.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSIB551.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIB5CF.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIB68B.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
C:\Windows\Installer\MSIB93A.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSIBF92.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSIC119.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIC1A6.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIC282.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSIC448.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSIC515.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSIC69C.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSIC805.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSIC815.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSIC816.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\ProgramData\Progptp\Lixbsfa.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
\ProgramData\Progptp\Lixbsfa.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
\ProgramData\Progptp\XLFSIO.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
\ProgramData\Progptp\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
\ProgramData\Progptp\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
\ProgramData\Progptp\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
\ProgramData\Progptp\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
\ProgramData\Progptp\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
\ProgramData\Progptp\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
\ProgramData\Progptp\libpng13.dll

Filesize
254KB

MD5
241fba52b2caf4bc3c0e676210e78e42

SHA1
09a660ef1493ae6c0e39f8886b30f338f6929df5

SHA256
8d3f49d69c0492c4d685c8e4e56b742c6229b998dba286a5fc2489aeb379f961

SHA512
30f4d630a99f86e9dae1918096bbffc3e6745627e09f261bd39c07ec31d4b2703a12751cb278a2e2dfe790acaa364af09892d2648b10513fbc58e153c914783b

Download Submit
\ProgramData\Progptp\libpng13.dll

Filesize
254KB

MD5
241fba52b2caf4bc3c0e676210e78e42

SHA1
09a660ef1493ae6c0e39f8886b30f338f6929df5

SHA256
8d3f49d69c0492c4d685c8e4e56b742c6229b998dba286a5fc2489aeb379f961

SHA512
30f4d630a99f86e9dae1918096bbffc3e6745627e09f261bd39c07ec31d4b2703a12751cb278a2e2dfe790acaa364af09892d2648b10513fbc58e153c914783b

Download Submit
\ProgramData\Progptp\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC2213FCC\setup-stub.exe

Filesize
549KB

MD5
04c63e4b810be2eadcba1453a1882f5d

SHA1
9c761c5f27aae2c91bedaf4f4117c123583df348

SHA256
72f090a4fa120ba64acebd6abe370d98e9c7c4cdfaf84b5ecf196eda93a1f321

SHA512
06c92a598f2820939c298459546db65f281a055639a0c0452d9714122d6bb1e292235eec17eadff60ecbd71e787802879df77228e3d8d5301d9f5ebfe5ed78e9

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFEE.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
\Users\Admin\AppData\Local\helpost.exe

Filesize
226KB

MD5
d076a0cdef6ecf4f7354b57a28352e9e

SHA1
2d3f17f70dcf1bf6ee2f95d29900ece6a57e4dd5

SHA256
275e5b578be6f7e0ce4b7bbe0f2b7cfdef9058508b9ac8cac82ed324f0ae7646

SHA512
a2107068d26c6822b0ec1bc726fa8aec0a448d94c7bdd3666d6d62870adc90b2cff428085e6369908da5c1a3bb54d58dfeca2a59a0e5d13ef853a72f16ffdc86

Download Submit
\Windows\Installer\MSIB33E.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSIB551.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSIB5CF.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSIB68B.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
\Windows\Installer\MSIB93A.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSIBF92.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSIC119.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSIC1A6.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSIC282.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSIC448.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSIC515.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSIC69C.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSIC816.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
memory/556-103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/672-145-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/672-99-0x0000000000320000-0x0000000000428000-memory.dmp

Filesize
1.0MB

Download
memory/672-113-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/672-132-0x00000000007E0000-0x0000000000811000-memory.dmp

Filesize
196KB

Download
memory/672-136-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/672-118-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/672-142-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/672-144-0x0000000000650000-0x0000000000682000-memory.dmp

Filesize
200KB

Download
memory/960-57-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1360-172-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1736-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download
memory/1924-153-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/1924-169-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1924-168-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1924-162-0x0000000000600000-0x000000000062A000-memory.dmp

Filesize
168KB

Download
memory/1924-158-0x0000000000520000-0x0000000000551000-memory.dmp

Filesize
196KB

Download
memory/1924-155-0x00000000003C0000-0x00000000003FF000-memory.dmp

Filesize
252KB

Download
memory/1924-149-0x0000000000260000-0x0000000000368000-memory.dmp

Filesize
1.0MB

Download
memory/1980-171-0x0000000008870000-0x00000000088B6000-memory.dmp

Filesize
280KB

Download
memory/1980-129-0x00000000729C1000-0x00000000729C3000-memory.dmp

Filesize
8KB

Download