fatalrat | dc7e999dba2421927abe28c84d7eb3c4786af4d24bb41f7c366dff468f049224

Analysis

max time kernel
126s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firefox-x64.msi
Size

12.4MB
MD5

6f82946feb7b318a92433037313de23d
SHA1

6dafc4b49c08c581ae8e4aabca49bec772f9d8a9
SHA256

99d83bfa475c782f12fcff85a8c6afb61f6f00b393af65d62c33596628189fe2
SHA512

54cdd857d86cac8962bc5463292d53deb1c572b3223a6e0a2cd29ff5d14f0f83c1698cf6d9b96ac3b8a9bc7b8f3457b91f433695eb271a1a85b250d2a3403812
SSDEEP

393216:EELSNZON3MWsDspg80QQUCPpYgMYSpFLtXbY:EELGWsDwg80Q76YhhrY

Score

10^/10

fatalrat discovery evasion infostealer rat spyware stealer trojan upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1648-134-0x0000000000540000-0x000000000056A000-memory.dmp	fatalrat
behavioral1/memory/1940-159-0x0000000000660000-0x000000000068A000-memory.dmp	fatalrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	956	msiexec.exe
4	1852	msiexec.exe
12	1900	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

pid	Process
1660	MSI7DA0.tmp
988	MSI7D8F.tmp
1648	sccs.exe
552	setup.exe
692	setup-stub.exe
1940	sccs.exe
1716	setup.exe
336	maintenanceservice_installer.exe
956	maintenanceservice_tmp.exe
1592	default-browser-agent.exe
1052	firefox.exe
1540	firefox.exe
2104	firefox.exe
2196	firefox.exe
2280	firefox.exe
2436	firefox.exe
2544	firefox.exe
2744	firefox.exe
2752	firefox.exe
2776	firefox.exe
2984	firefox.exe
2520	firefox.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000139f4-107.dat	upx
behavioral1/memory/552-114-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x00070000000139f4-108.dat	upx
behavioral1/memory/552-163-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2012-167-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1900	MsiExec.exe
1368	MsiExec.exe
1368	MsiExec.exe
1368	MsiExec.exe
1368	MsiExec.exe
1900	MsiExec.exe
1648	sccs.exe
1648	sccs.exe
1648	sccs.exe
1648	sccs.exe
1648	sccs.exe
1648	sccs.exe
1648	sccs.exe
552	setup.exe
1648	sccs.exe
1648	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
2012	download.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1080	regsvr32.exe
1080	regsvr32.exe
1080	regsvr32.exe
1080	regsvr32.exe
1080	regsvr32.exe
1080	regsvr32.exe
1080	regsvr32.exe
1352	regsvr32.exe
1716	setup.exe
1716	setup.exe
336	maintenanceservice_installer.exe
336	maintenanceservice_installer.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe
1716	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	setup.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.sig	setup.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe	maintenanceservice_installer.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	maintenanceservice_installer.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\breakpadinjector.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\removed-files	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	setup.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup.exe
File created	C:\Program Files\Mozilla Firefox\locale.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup.exe
File created	C:\Program Files\Mozilla Firefox\install.log	setup.exe
File created	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\softokn3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\nss3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\omni.ja	setup.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	maintenanceservice_tmp.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6B66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI72E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7385.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B9A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\6c6623.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c6625.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DA1.tmp	msiexec.exe
File created	C:\Windows\Installer\6c6623.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI749F.tmp	msiexec.exe
File created	C:\Windows\Installer\6c6625.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EB2.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6859.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI751C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DA0.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sccs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sccs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "AsyncIHandlerControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\DDEEXEC	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ = "ISimpleDOMText"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ = "IHandlerControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\ = "Firefox URL"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\FriendlyTypeName = "Firefox URL"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\FriendlyTypeName = "Firefox HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\ = "Firefox PDF Document"	setup.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1900	MsiExec.exe
1852	msiexec.exe
1852	msiexec.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
1940	sccs.exe
956	maintenanceservice_tmp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeSecurityPrivilege	1852	msiexec.exe
Token: SeCreateTokenPrivilege	956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	956	msiexec.exe
Token: SeLockMemoryPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeMachineAccountPrivilege	956	msiexec.exe
Token: SeTcbPrivilege	956	msiexec.exe
Token: SeSecurityPrivilege	956	msiexec.exe
Token: SeTakeOwnershipPrivilege	956	msiexec.exe
Token: SeLoadDriverPrivilege	956	msiexec.exe
Token: SeSystemProfilePrivilege	956	msiexec.exe
Token: SeSystemtimePrivilege	956	msiexec.exe
Token: SeProfSingleProcessPrivilege	956	msiexec.exe
Token: SeIncBasePriorityPrivilege	956	msiexec.exe
Token: SeCreatePagefilePrivilege	956	msiexec.exe
Token: SeCreatePermanentPrivilege	956	msiexec.exe
Token: SeBackupPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	956	msiexec.exe
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeDebugPrivilege	956	msiexec.exe
Token: SeAuditPrivilege	956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	956	msiexec.exe
Token: SeChangeNotifyPrivilege	956	msiexec.exe
Token: SeRemoteShutdownPrivilege	956	msiexec.exe
Token: SeUndockPrivilege	956	msiexec.exe
Token: SeSyncAgentPrivilege	956	msiexec.exe
Token: SeEnableDelegationPrivilege	956	msiexec.exe
Token: SeManageVolumePrivilege	956	msiexec.exe
Token: SeImpersonatePrivilege	956	msiexec.exe
Token: SeCreateGlobalPrivilege	956	msiexec.exe
Token: SeBackupPrivilege	564	vssvc.exe
Token: SeRestorePrivilege	564	vssvc.exe
Token: SeAuditPrivilege	564	vssvc.exe
Token: SeBackupPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeLoadDriverPrivilege	1432	DrvInst.exe
Token: SeLoadDriverPrivilege	1432	DrvInst.exe
Token: SeLoadDriverPrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe
Token: SeTakeOwnershipPrivilege	1852	msiexec.exe
Token: SeRestorePrivilege	1852	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
956	msiexec.exe
956	msiexec.exe
1540	firefox.exe
1540	firefox.exe
1540	firefox.exe
1540	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1540	firefox.exe
1540	firefox.exe
1540	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1900	1852	msiexec.exe	32
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 1368	1852	msiexec.exe	33
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 988	1852	msiexec.exe	34
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 1852 wrote to memory of 1660	1852	msiexec.exe	35
PID 552 wrote to memory of 692	552	setup.exe	38
PID 552 wrote to memory of 692	552	setup.exe	38
PID 552 wrote to memory of 692	552	setup.exe	38
PID 552 wrote to memory of 692	552	setup.exe	38
PID 552 wrote to memory of 692	552	setup.exe	38
PID 552 wrote to memory of 692	552	setup.exe	38
PID 552 wrote to memory of 692	552	setup.exe	38
PID 1648 wrote to memory of 1940	1648	sccs.exe	39
PID 1648 wrote to memory of 1940	1648	sccs.exe	39
PID 1648 wrote to memory of 1940	1648	sccs.exe	39
PID 1648 wrote to memory of 1940	1648	sccs.exe	39
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 2012 wrote to memory of 1716	2012	download.exe	43
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 1716 wrote to memory of 516	1716	setup.exe	44
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 516 wrote to memory of 1080	516	regsvr32.exe	45
PID 1716 wrote to memory of 1728	1716	setup.exe	46
PID 1716 wrote to memory of 1728	1716	setup.exe	46
PID 1716 wrote to memory of 1728	1716	setup.exe	46
PID 1716 wrote to memory of 1728	1716	setup.exe	46

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Firefox-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5FA7DD15F547592481F3C97DDCB2BAE1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A8A5291C2BDBF95E29D47681CE0E3B03 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1368
- C:\Windows\Installer\MSI7D8F.tmp
  "C:\Windows\Installer\MSI7D8F.tmp" /DontWait "C:\ProgramData\Progtmy\sccs.exe"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Installer\MSI7DA0.tmp
  "C:\Windows\Installer\MSI7DA0.tmp" /DontWait "C:\Program Files (x86)\Common Files\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Program Files (x86)\Common Files\setup.exe
"C:\Program Files (x86)\Common Files\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\7zS8222F29C\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\nsy84CB.tmp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy84CB.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsy84CB.tmp\config.ini
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD7A81CC\setup.exe
      .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsy84CB.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1080
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        5⤵
        
        PID:1728
      - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1352
    - - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:336
      - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
    - - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        5⤵
        Executes dropped EXE
        
        PID:1592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
    3⤵
    - Executes dropped EXE
    PID:1052
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1540
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.0.1222149437\279703523" -parentBuildID 20230104165113 -prefsHandle 1168 -prefMapHandle 1060 -prefsLen 21569 -prefMapSize 232830 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b4f892d-3f3c-4dc9-bf60-8d07bb10db81} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 1224 d12d260 socket
        5⤵
        Executes dropped EXE
        
        PID:2104
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.1.1853247008\591020258" -parentBuildID 20230104165113 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 21705 -prefMapSize 232830 -appDir "C:\Program Files\Mozilla Firefox\browser" - {744433ab-9f9f-4161-892e-8ca989f907e5} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 1528 f136f30 gpu
        5⤵
        Executes dropped EXE
        
        PID:2196
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.2.322020825\2041098258" -childID 1 -isForBrowser -prefsHandle 1772 -prefMapHandle 1404 -prefsLen 23025 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3b8953e-c96f-4fcc-b64f-8cd0035b3abe} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 1784 118c7560 tab
        5⤵
        Executes dropped EXE
        
        PID:2280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.3.1792988586\1284360065" -childID 2 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 23109 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f38474d-c49e-4840-b629-824c90d6dcf1} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 2152 118c7e00 tab
        5⤵
        Executes dropped EXE
        
        PID:2436
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.4.1967855852\1786768620" -parentBuildID 20230104165113 -prefsHandle 2524 -prefMapHandle 2512 -prefsLen 24095 -prefMapSize 232830 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa07fc8-3a0b-43ea-9b09-3bac2f432baa} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 2528 f1366c0 rdd
        5⤵
        Executes dropped EXE
        
        PID:2544
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.5.40562745\1733282077" -childID 3 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 24306 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {525b628a-0227-4762-b170-a7b9e45aa098} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 2972 1688ec90 tab
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2744
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.6.2107229237\1469956544" -childID 4 -isForBrowser -prefsHandle 3088 -prefMapHandle 3092 -prefsLen 24306 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f998a3-8ec3-4bef-9eb3-38ab114388eb} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 3076 1688e3f0 tab
        5⤵
        Executes dropped EXE
        
        PID:2752
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.7.1112717463\945465365" -childID 5 -isForBrowser -prefsHandle 3216 -prefMapHandle 3220 -prefsLen 24306 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ada3f235-a1b4-450e-a900-6f14df447a75} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 3204 1688e840 tab
        5⤵
        Executes dropped EXE
        
        PID:2776
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.8.1749579464\187876842" -childID 6 -isForBrowser -prefsHandle 1056 -prefMapHandle 1936 -prefsLen 24506 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {984ff6f6-9471-4f16-88c1-a9597978d475} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 2928 1688eb20 tab
        5⤵
        Executes dropped EXE
        
        PID:2984
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1540.9.627766179\2002851209" -childID 7 -isForBrowser -prefsHandle 4208 -prefMapHandle 4288 -prefsLen 30093 -prefMapSize 232830 -jsInitHandle 908 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230104165113 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2136676c-f5f6-46e4-9d86-ee7a1cc1faa8} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" 4308 25b50c90 tab
        5⤵
        Executes dropped EXE
        
        PID:2520

C:\ProgramData\Progtmy\sccs.exe
"C:\ProgramData\Progtmy\sccs.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\sccs.exe
  "C:\Users\Admin\AppData\Local\sccs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\setup.exe

Filesize
341KB

MD5
2a361bf798d8542833bc727e83fade01

SHA1
1ca1a267a75a6766925d9567cd7d599c988ff16e

SHA256
d7014058a456294057737ff0770aeb46cc03c0b63eb0067b220e62a9ecebe325

SHA512
6cedf7663918c62a8fecbbbc3e49f355bcb96f971b296182867898d57f0f17f2a4635fc1b8cab434c9e2af266c25109b734e3d79f01c02095550c698eeadad6d

Download Submit
C:\Program Files (x86)\Common Files\setup.exe

Filesize
341KB

MD5
2a361bf798d8542833bc727e83fade01

SHA1
1ca1a267a75a6766925d9567cd7d599c988ff16e

SHA256
d7014058a456294057737ff0770aeb46cc03c0b63eb0067b220e62a9ecebe325

SHA512
6cedf7663918c62a8fecbbbc3e49f355bcb96f971b296182867898d57f0f17f2a4635fc1b8cab434c9e2af266c25109b734e3d79f01c02095550c698eeadad6d

Download Submit
C:\ProgramData\Progtmy\BHuedjhd.DLL

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
C:\ProgramData\Progtmy\Micr.jpg

Filesize
199KB

MD5
a76aeebf2a00b69d2daf436ed107bbb0

SHA1
c5b166dac1859cda5be28b6db091bbb38693d3ce

SHA256
00bb88da5e7c6448abe14ccc7108c49dd60af8dde74171f1b727a42ed78073c9

SHA512
35f53bcdf82778eb5ae1dc43a31beafa8dbe7b384b919fe0bb1c38ac5db54e06b4270fa5885319f0afda6fe0fd04b147539647120f47a7442fe7468406f4288d

Download Submit
C:\ProgramData\Progtmy\XLFSIO.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
C:\ProgramData\Progtmy\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
C:\ProgramData\Progtmy\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
C:\ProgramData\Progtmy\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
C:\ProgramData\Progtmy\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
C:\ProgramData\Progtmy\libpng13.dll

Filesize
126KB

MD5
c0008d201ade4c66a9c83ac95751d8e6

SHA1
277d66db133cf3dc4c194b073fd701332944d0b1

SHA256
18664f0debfcd39681d7f165541a7d5d92653f83fe5aa443bf721a41881290bb

SHA512
166608df827228b159c54ca6b59c8d7e78030c463d7b1bffb15397fb7d0a0c9b7a050107c8d6a7ffa546bc8d830a85230bdfde5bee6d1fd89e49857abfeeccd8

Download Submit
C:\ProgramData\Progtmy\sccs.exe

Filesize
226KB

MD5
ed823ff69eb7ce7fda80c43e865e8315

SHA1
6f0f66416fc54fda7f9b14f19271e157bea77c40

SHA256
9f489869d56413517d457daa2b73e7d1d1dc2e6b50ae0a1dfcd98d938f056c8e

SHA512
36d6375ce84460554642db76b41b3bbc5124ccf73da2718bc4262c1341d1612f668a722a3e8c140a98e42b90b064aaa47e447ffeba75b15c8ac89cbfa5207f26

Download Submit
C:\ProgramData\Progtmy\sccs.exe

Filesize
226KB

MD5
ed823ff69eb7ce7fda80c43e865e8315

SHA1
6f0f66416fc54fda7f9b14f19271e157bea77c40

SHA256
9f489869d56413517d457daa2b73e7d1d1dc2e6b50ae0a1dfcd98d938f056c8e

SHA512
36d6375ce84460554642db76b41b3bbc5124ccf73da2718bc4262c1341d1612f668a722a3e8c140a98e42b90b064aaa47e447ffeba75b15c8ac89cbfa5207f26

Download Submit
C:\ProgramData\Progtmy\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c4864b109ddb386badd7c98da94b991b

SHA1
4598a78c6380140bea41a28582fe7f9be258330b

SHA256
4edfb4303931ecb41bd26fc6a8897f31e73de3c2e27b8bab2a4294f3f9728acf

SHA512
d9fa886668bbecb5860ff513ceb547bda6b19b8cf54556abf73497910600ee86ae60073b4f828758b19a1f57dc3e694b74e6214195f2af84095c8c496cfdb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8222F29C\setup-stub.exe

Filesize
549KB

MD5
04c63e4b810be2eadcba1453a1882f5d

SHA1
9c761c5f27aae2c91bedaf4f4117c123583df348

SHA256
72f090a4fa120ba64acebd6abe370d98e9c7c4cdfaf84b5ecf196eda93a1f321

SHA512
06c92a598f2820939c298459546db65f281a055639a0c0452d9714122d6bb1e292235eec17eadff60ecbd71e787802879df77228e3d8d5301d9f5ebfe5ed78e9

Download Submit
C:\Users\Admin\AppData\Local\sccs.exe

Filesize
226KB

MD5
ed823ff69eb7ce7fda80c43e865e8315

SHA1
6f0f66416fc54fda7f9b14f19271e157bea77c40

SHA256
9f489869d56413517d457daa2b73e7d1d1dc2e6b50ae0a1dfcd98d938f056c8e

SHA512
36d6375ce84460554642db76b41b3bbc5124ccf73da2718bc4262c1341d1612f668a722a3e8c140a98e42b90b064aaa47e447ffeba75b15c8ac89cbfa5207f26

Download Submit
C:\Windows\Installer\MSI6859.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSI6B66.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI6BF3.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI6EB2.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
C:\Windows\Installer\MSI72E8.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSI7385.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSI749F.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI751C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI75D9.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSI77DD.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSI78AA.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSI7A22.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSI7AFD.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSI7B9A.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSI7D8F.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSI7DA0.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSI7DA1.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\ProgramData\Progtmy\BHuedjhd.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
\ProgramData\Progtmy\BHuedjhd.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
\ProgramData\Progtmy\XLFSIO.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
\ProgramData\Progtmy\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
\ProgramData\Progtmy\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
\ProgramData\Progtmy\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
\ProgramData\Progtmy\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
\ProgramData\Progtmy\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
\ProgramData\Progtmy\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
\ProgramData\Progtmy\libpng13.dll

Filesize
126KB

MD5
c0008d201ade4c66a9c83ac95751d8e6

SHA1
277d66db133cf3dc4c194b073fd701332944d0b1

SHA256
18664f0debfcd39681d7f165541a7d5d92653f83fe5aa443bf721a41881290bb

SHA512
166608df827228b159c54ca6b59c8d7e78030c463d7b1bffb15397fb7d0a0c9b7a050107c8d6a7ffa546bc8d830a85230bdfde5bee6d1fd89e49857abfeeccd8

Download Submit
\ProgramData\Progtmy\libpng13.dll

Filesize
126KB

MD5
c0008d201ade4c66a9c83ac95751d8e6

SHA1
277d66db133cf3dc4c194b073fd701332944d0b1

SHA256
18664f0debfcd39681d7f165541a7d5d92653f83fe5aa443bf721a41881290bb

SHA512
166608df827228b159c54ca6b59c8d7e78030c463d7b1bffb15397fb7d0a0c9b7a050107c8d6a7ffa546bc8d830a85230bdfde5bee6d1fd89e49857abfeeccd8

Download Submit
\ProgramData\Progtmy\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
\ProgramData\Progtmy\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8222F29C\setup-stub.exe

Filesize
549KB

MD5
04c63e4b810be2eadcba1453a1882f5d

SHA1
9c761c5f27aae2c91bedaf4f4117c123583df348

SHA256
72f090a4fa120ba64acebd6abe370d98e9c7c4cdfaf84b5ecf196eda93a1f321

SHA512
06c92a598f2820939c298459546db65f281a055639a0c0452d9714122d6bb1e292235eec17eadff60ecbd71e787802879df77228e3d8d5301d9f5ebfe5ed78e9

Download Submit
\Users\Admin\AppData\Local\sccs.exe

Filesize
226KB

MD5
ed823ff69eb7ce7fda80c43e865e8315

SHA1
6f0f66416fc54fda7f9b14f19271e157bea77c40

SHA256
9f489869d56413517d457daa2b73e7d1d1dc2e6b50ae0a1dfcd98d938f056c8e

SHA512
36d6375ce84460554642db76b41b3bbc5124ccf73da2718bc4262c1341d1612f668a722a3e8c140a98e42b90b064aaa47e447ffeba75b15c8ac89cbfa5207f26

Download Submit
\Windows\Installer\MSI6859.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSI6B66.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI6BF3.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI6EB2.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
\Windows\Installer\MSI72E8.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSI7385.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSI749F.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI751C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI75D9.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
\Windows\Installer\MSI77DD.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSI78AA.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSI7A22.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSI7AFD.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSI7B9A.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
\Windows\Installer\MSI7DA1.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
memory/552-114-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/552-163-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/692-166-0x0000000008870000-0x00000000088B6000-memory.dmp

Filesize
280KB

Download
memory/956-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1648-134-0x0000000000540000-0x000000000056A000-memory.dmp

Filesize
168KB

Download
memory/1648-146-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1648-144-0x00000000004D0000-0x0000000000502000-memory.dmp

Filesize
200KB

Download
memory/1648-103-0x0000000000300000-0x0000000000408000-memory.dmp

Filesize
1.0MB

Download
memory/1648-117-0x0000000000120000-0x0000000000155000-memory.dmp

Filesize
212KB

Download
memory/1648-121-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/1648-164-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1648-130-0x00000000005B0000-0x00000000005E1000-memory.dmp

Filesize
196KB

Download
memory/1900-59-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1940-155-0x0000000002430000-0x0000000002461000-memory.dmp

Filesize
196KB

Download
memory/1940-143-0x0000000000430000-0x0000000000538000-memory.dmp

Filesize
1.0MB

Download
memory/1940-165-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1940-162-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1940-159-0x0000000000660000-0x000000000068A000-memory.dmp

Filesize
168KB

Download
memory/1940-152-0x0000000000580000-0x00000000005BF000-memory.dmp

Filesize
252KB

Download
memory/1940-150-0x0000000000540000-0x0000000000575000-memory.dmp

Filesize
212KB

Download
memory/2012-167-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download