1b9de13459edd851b69c52ce367171a1db59d9ace1fdd817945c46c732123901

Analysis

max time kernel
125s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2023, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

firefox_setup.exe
Size

377KB
MD5

4614ee72175d87e5374b02065a8368f4
SHA1

41f270896c0b1ea92221d9d329549b45615d1411
SHA256

1b9de13459edd851b69c52ce367171a1db59d9ace1fdd817945c46c732123901
SHA512

54fcdbb1d99131755df45d8366e9b8d9c9c6f7f6aa31f4cca09578c7ed9cd1e6d7528583d2c7a52d62b76869199186d75563fb2c07f90005dcfd042bc7409ba5
SSDEEP

6144:hZMaz7aEdGe5cuBO9KfOCVABGqN+LdzLnUNe0FBV7hZbowXSPliXv3GCe/o+CHy:hS0mEdGe5aEhqNe0e0FBfhXQ4Xv3GHoi

Score

8^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
1528	EuSHk1xOlbFPeqX.exe
4540	CTS.exe
2036	setup-stub.exe
4476	download.exe
1576	setup.exe
3632	maintenanceservice_installer.exe
4140	maintenanceservice_tmp.exe
1044	default-browser-agent.exe
1820	firefox.exe
1676	firefox.exe
2616	firefox.exe
4372	firefox.exe
5068	firefox.exe
1832	firefox.exe
2052	firefox.exe
4340	firefox.exe
4216	firefox.exe
4816	firefox.exe
3980	firefox.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5C937667-B70D-4CA3-B6AF-DB2BE8347F8D}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C937667-B70D-4CA3-B6AF-DB2BE8347F8D}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\notificationserver.dll"	setup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e14-133.dat	upx
behavioral2/files/0x0008000000022e14-134.dat	upx
behavioral2/memory/1528-138-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/1528-158-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/files/0x0006000000022e2b-164.dat	upx
behavioral2/files/0x0006000000022e2b-165.dat	upx
behavioral2/memory/4476-166-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
2036	setup-stub.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
4608	regsvr32.exe
4608	regsvr32.exe
4588	regsvr32.exe
1576	setup.exe
3632	maintenanceservice_installer.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1044	default-browser-agent.exe
1044	default-browser-agent.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1576	setup.exe
1820	firefox.exe
1820	firefox.exe
1820	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe
2616	firefox.exe
4372	firefox.exe
4372	firefox.exe
4372	firefox.exe
4372	firefox.exe
4372	firefox.exe
4372	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	firefox_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	firefox_setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq71AE.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\nss3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\ucrtbase.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsb719D.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq71AE.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsxCDBB.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozglue.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsq71AF.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsj551.tmp	setup.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	firefox_setup.exe
File created	C:\Windows\CTS.exe	CTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Colors	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{5C937667-B70D-4CA3-B6AF-DB2BE8347F8D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\EditFlags = "2"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXHTML-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32\ = "{DCA8D857-1A63-4045-8F36-8809EB093D04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ = "IHandlerControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\AsynchronousInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5C937667-B70D-4CA3-B6AF-DB2BE8347F8D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface\ = "{CE30F77E-8847-44F0-A648-A9656BD89C0D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "AsyncIHandlerControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ = "IGeckoBackChannel"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB\EditFlags = "2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\IconUri = "C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\VisualElements_70.png"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Interface	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\FriendlyTypeName = "Firefox URL"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4140	maintenanceservice_tmp.exe
4140	maintenanceservice_tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	firefox_setup.exe
Token: SeDebugPrivilege	4540	CTS.exe
Token: SeDebugPrivilege	1676	firefox.exe
Token: SeDebugPrivilege	1676	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2036	setup-stub.exe
1576	setup.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1676	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1528	1224	firefox_setup.exe	80
PID 1224 wrote to memory of 1528	1224	firefox_setup.exe	80
PID 1224 wrote to memory of 1528	1224	firefox_setup.exe	80
PID 1224 wrote to memory of 4540	1224	firefox_setup.exe	81
PID 1224 wrote to memory of 4540	1224	firefox_setup.exe	81
PID 1224 wrote to memory of 4540	1224	firefox_setup.exe	81
PID 1528 wrote to memory of 2036	1528	EuSHk1xOlbFPeqX.exe	82
PID 1528 wrote to memory of 2036	1528	EuSHk1xOlbFPeqX.exe	82
PID 1528 wrote to memory of 2036	1528	EuSHk1xOlbFPeqX.exe	82
PID 2036 wrote to memory of 4476	2036	setup-stub.exe	83
PID 2036 wrote to memory of 4476	2036	setup-stub.exe	83
PID 2036 wrote to memory of 4476	2036	setup-stub.exe	83
PID 4476 wrote to memory of 1576	4476	download.exe	85
PID 4476 wrote to memory of 1576	4476	download.exe	85
PID 4476 wrote to memory of 1576	4476	download.exe	85
PID 1576 wrote to memory of 4608	1576	setup.exe	86
PID 1576 wrote to memory of 4608	1576	setup.exe	86
PID 1576 wrote to memory of 4588	1576	setup.exe	87
PID 1576 wrote to memory of 4588	1576	setup.exe	87
PID 1576 wrote to memory of 3632	1576	setup.exe	88
PID 1576 wrote to memory of 3632	1576	setup.exe	88
PID 1576 wrote to memory of 3632	1576	setup.exe	88
PID 3632 wrote to memory of 4140	3632	maintenanceservice_installer.exe	89
PID 3632 wrote to memory of 4140	3632	maintenanceservice_installer.exe	89
PID 1576 wrote to memory of 1044	1576	setup.exe	90
PID 1576 wrote to memory of 1044	1576	setup.exe	90
PID 2036 wrote to memory of 1820	2036	setup-stub.exe	98
PID 2036 wrote to memory of 1820	2036	setup-stub.exe	98
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1820 wrote to memory of 1676	1820	firefox.exe	99
PID 1676 wrote to memory of 2616	1676	firefox.exe	101
PID 1676 wrote to memory of 2616	1676	firefox.exe	101
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103
PID 1676 wrote to memory of 4372	1676	firefox.exe	103

C:\Users\Admin\AppData\Local\Temp\firefox_setup.exe
"C:\Users\Admin\AppData\Local\Temp\firefox_setup.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\EuSHk1xOlbFPeqX.exe
  C:\Users\Admin\AppData\Local\Temp\EuSHk1xOlbFPeqX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\7zS8F51B456\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\download.exe
      "C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\download.exe" /INI=C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\config.ini
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\setup.exe
        
        .\setup.exe /INI=C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\config.ini
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:4608
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
        6⤵
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:4588
      - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
      - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.0.88932613\340171113" -parentBuildID 20230112150232 -prefsHandle 1664 -prefMapHandle 2292 -prefsLen 21791 -prefMapSize 234484 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ae38588-7aa2-4e88-82af-02521618becb} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 2732 2f10eec1158 gpu
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2616
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.1.2090808561\1865240373" -parentBuildID 20230112150232 -prefsHandle 2592 -prefMapHandle 1696 -prefsLen 21791 -prefMapSize 234484 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dff983f8-7e15-4853-a2b9-d555c36e641f} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 2192 2f102581058 socket
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.2.1231862954\258459669" -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2244 -prefsLen 23255 -prefMapSize 234484 -jsInitHandle 1336 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {843d047c-2549-433c-8133-22c43bdd87d8} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 1996 2f112b82158 tab
        6⤵
        Executes dropped EXE
        
        PID:5068
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.3.8161015\785826843" -childID 2 -isForBrowser -prefsHandle 3012 -prefMapHandle 1796 -prefsLen 23255 -prefMapSize 234484 -jsInitHandle 1336 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0a4823e-2812-4218-947b-e5ca8c44a51d} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 3160 2f102579958 tab
        6⤵
        Executes dropped EXE
        
        PID:1832
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.4.1109534207\926816902" -childID 3 -isForBrowser -prefsHandle 1624 -prefMapHandle 1544 -prefsLen 24253 -prefMapSize 234484 -jsInitHandle 1336 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dd992c2-265a-4e97-a062-43111199d6f6} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 1796 2f114d3ed58 tab
        6⤵
        Executes dropped EXE
        
        PID:2052
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.5.1640494427\1618882305" -parentBuildID 20230112150232 -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 24536 -prefMapSize 234484 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7afc87ca-20ee-4c9c-81d5-9dd41a204186} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 4060 2f11344fc58 rdd
        6⤵
        Executes dropped EXE
        
        PID:4340
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.6.342918992\879385866" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4636 -prefsLen 29646 -prefMapSize 234484 -jsInitHandle 1336 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8502b3ef-3794-4ab2-aae5-3dff7a8cba13} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 4856 2f116b64e58 tab
        6⤵
        Executes dropped EXE
        
        PID:4216
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.7.1714621312\1427720432" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 4872 -prefsLen 29646 -prefMapSize 234484 -jsInitHandle 1336 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {530fd149-fd33-4505-88ec-b02f128977a2} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 5028 2f117ffdc58 tab
        6⤵
        Executes dropped EXE
        
        PID:4816
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.8.779398063\522689218" -childID 6 -isForBrowser -prefsHandle 1676 -prefMapHandle 1692 -prefsLen 30014 -prefMapSize 234484 -jsInitHandle 1336 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d0aad8f-0fa1-47b3-b04d-6a744861972e} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 5452 2f1199d1458 tab
        6⤵
        Executes dropped EXE
        
        PID:3980
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8F51B456\setup-stub.exe

Filesize
407KB

MD5
27eba7c268114cde294ba56de94c1814

SHA1
0a0bbce1beaadb36e92bbcd1ed7de601e79528c1

SHA256
958aaac6fec9912ff65b7fa3ee87df665ee38ded11c90222b82efe8569847c9e

SHA512
5879384d9d22771b96db3b37ff9fb625f5c09ef3aea75919889b4450cd1efaa73c61f017d4a32802acfe8c0c90a1ed585062eec1b1331ac0cef8c45e31fffb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F51B456\setup-stub.exe

Filesize
407KB

MD5
27eba7c268114cde294ba56de94c1814

SHA1
0a0bbce1beaadb36e92bbcd1ed7de601e79528c1

SHA256
958aaac6fec9912ff65b7fa3ee87df665ee38ded11c90222b82efe8569847c9e

SHA512
5879384d9d22771b96db3b37ff9fb625f5c09ef3aea75919889b4450cd1efaa73c61f017d4a32802acfe8c0c90a1ed585062eec1b1331ac0cef8c45e31fffb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\Accessible.tlb

Filesize
2KB

MD5
8104751de2a8e948284f3ed577fe4872

SHA1
f03832fadce708f9fbb21f7ef1a44929f1792e08

SHA256
2a27d969cc58cb2b453f15e50c6fba15de088fe99c9c44d9998ec00f7be9676a

SHA512
27bdb251cd6886a81c0b754a545937c23c92420d2fa9c311a525c30319c4506a5b77988506aea1085615a163d1b758659164e4e244f3b3079890fa0f649891a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\AccessibleHandler.dll

Filesize
178KB

MD5
0829d068e615a5826b82ad6436a11aaa

SHA1
1a2f28645073b01e363d41b823842f68702ad5c7

SHA256
555a91e0699c32ff4c07bc262676c556df8089f7e796e9ac08114a2818559406

SHA512
1b7871f46cc21225a8279849c978599ed675d8df5221b9e42d1f32e976457dec86c98955d067ba5fe9fd1ca3f19f81deb18df9b1a8f9e71f2505c0cc5e49ea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\AccessibleMarshal.dll

Filesize
30KB

MD5
e0dace98194eec15dd97589b2540c7c7

SHA1
5886e41b9ca8e69b3163bdc699d12de90037ca3c

SHA256
fb8fa1d6050aa8c14e0d088dc94da912c9d538e122bf84d9bb5a9f942fa5bdff

SHA512
9ee3c63a546b9eec23b57d496f5288ec9f44a0bc19af957cfe330883e2339e485f04dbb8ef20aa984a152a7dbefe9de17ba6b65db3bd0310169d0ad548ff55ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
49c3ffd47257dbcb67a6be9ee112ba7f

SHA1
04669214375b25e2dc8a3635484e6eeb206bc4eb

SHA256
322d963d2a2aefd784e99697c59d494853d69bed8efd4b445f59292930a6b165

SHA512
bda5e6c669b04aaed89538a982ef430cef389237c6c1d670819a22b2a20bf3c22aef5cb4e73ef7837cbbd89d870693899f97cb538122059c885f4b19b7860a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
588bd2a8e0152e0918742c1a69038f1d

SHA1
9874398548891f6a08fc06437996f84eb7495783

SHA256
a07cc878ab5595aacd4ab229a6794513f897bd7ad14bcec353793379146b2094

SHA512
32ffe64c697f94c4db641ab3e20b0f522cf3eba9863164f1f6271d2f32529250292a16be95f32d852480bd1b59b8b0554c1e7fd7c7a336f56c048f4f56e4d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
d699333637db92d319661286df7cc39e

SHA1
0bffb9ed366853e7019452644d26e8e8f236241b

SHA256
fe760614903e6d46a1be508dccb65cf6929d792a1db2c365fc937f2a8a240504

SHA512
6fa9ff0e45f803faf3eb9908e810a492f6f971cb96d58c06f408980ab40cba138b52d853aa0e3c68474053690dfafa1817f4b4c8fb728d613696b6c516fa0f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
47388f3966e732706054fe3d530ed0dc

SHA1
a9aebbbb73b7b846b051325d7572f2398f5986ee

SHA256
59c14541107f5f2b94bbf8686efee862d20114bcc9828d279de7bf664d721132

SHA512
cce1fc5bcf0951b6a76d456249997b427735e874b650e5b50b3d278621bf99e39c4fc7fee081330f20762f797be1b1c048cb057967ec7699c9546657b3e248ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
f62b66f451f2daa8410ad62d453fa0a2

SHA1
4bf13db65943e708690d6256d7ddd421cc1cc72b

SHA256
48eb5b52227b6fb5be70cb34009c8da68356b62f3e707db56af957338ba82720

SHA512
d64c2a72adf40bd451341552e7e6958779de3054b0cf676b876c3ba7b86147aecba051ac08adc0c3bfb2779109f87dca706c43de3ce36e05af0ddee02bbbf419

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-conio-l1-1-0.dll

Filesize
19KB

MD5
6c88d0006cf852f2d8462dfa4e9ca8d1

SHA1
49002b58cb0df2ee8d868dec335133cf225657df

SHA256
d5960c7356e8ab97d0ad77738e18c80433da277671a6e89a943c7f7257ff3663

SHA512
d081843374a43d2e9b33904d4334d49383df04ee7143a8b49600841ece844eff4e8e36b4b5966737ac931ed0350f202270e043f7003bf2748c5418d5e21c2a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-convert-l1-1-0.dll

Filesize
22KB

MD5
d53637eab49fe1fe1bd45d12f8e69c1f

SHA1
c84e41fdcc4ca89a76ae683cb390a9b86500d3ca

SHA256
83678f181f46fe77f8afe08bfc48aebb0b4154ad45b2efe9bfadc907313f6087

SHA512
94d43da0e2035220e38e4022c429a9c049d6a355a9cb4695ad4e0e01d6583530917f3b785ea6cd2592fdd7b280b9df95946243e395a60dc58ec0c94627832aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
c712515d052a385991d30b9c6afc767f

SHA1
9a4818897251cacb7fe1c6fe1be3e854985186ad

SHA256
f7c6c7ea22edd2f8bd07aa5b33cbce862ef1dcdc2226eb130e0018e02ff91dc1

SHA512
b7d1e22a169c3869aa7c7c749925a031e8bdd94c2531c6ffe9dae3b3cd9a2ee1409ca26824c4e720be859de3d4b2af637dd60308c023b4774d47afe13284dcd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
f0d507de92851a8c0404ac78c383c5cd

SHA1
78fa03c89ea12ff93fa499c38673039cc2d55d40

SHA256
610332203d29ab218359e291401bf091bb1db1a6d7ed98ab9a7a9942384b8e27

SHA512
a65c9129ee07864f568c651800f6366bca5313ba400814792b5cc9aa769c057f357b5055988c414e88a6cd87186b6746724a43848f96a389a13e347ef5064551

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
f9e20dd3b07766307fccf463ab26e3ca

SHA1
60b4cf246c5f414fc1cd12f506c41a1043d473ee

SHA256
af47aebe065af2f045a19f20ec7e54a6e73c0c3e9a5108a63095a7232b75381a

SHA512
13c43eee9c93c9f252087cb397ff2d6b087b1dc92a47ba5493297f080e91b7c39ee5665d6bdc1a80e7320e2b085541fc798a3469b1f249b05dee26bbbb6ab706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
ab206f2943977256ca3a59e5961e3a4f

SHA1
9c1df49a8dbdc8496ac6057f886f5c17b2c39e3e

SHA256
b3b6ee98aca14cf5bc9f3bc7897bc23934bf85fc4bc25b7506fe4cd9a767047a

SHA512
baccc304b091a087b2300c10f6d18be414abb4c1575274c327104aabb5fdf975ba26a86e423fda6befb5d7564effac0c138eb1bad2d2e226131e4963c7aac5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
4dd7a61590d07500704e7e775255cb00

SHA1
8b35ec4676bd96c2c4508dc5f98ca471b22deed7

SHA256
a25d0654deb0cea1aef189ba2174d0f13bdf52f098d3a9ec36d15e4bfb30c499

SHA512
1086801260624cf395bf971c9fd671abddcd441ccc6a6eac55f277ccfbab752c82cb1709c8140de7b4b977397a31da6c9c8b693ae92264eb23960c8b1e0993bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
26KB

MD5
4e033cfee32edf6be7847e80a5114894

SHA1
91eef52c557aefd0fde27e8df4e3c3b7f99862f2

SHA256
dff24441df89a02dde1cd984e4d3820845bafdff105458ed10d510126117115b

SHA512
e1f3d98959d68ef3d7e86ac4cb3dbdf92a34fcfd1bf0e0db45db66c65af0162ab02926dc5d98c6fc4a759a6010026ee26a9021c67c0190da941a04b783055318

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-private-l1-1-0.dll

Filesize
69KB

MD5
50740f0bc326f0637c4166698298d218

SHA1
0c33cfe40edd278a692c2e73e941184fd24286d9

SHA256
adbb658dd1cbecaca7cc1322b51976f30b36ccf0a751f3bad1f29d350b192c9c

SHA512
f1331ab1d52fb681f51546168e9736e2f6163e0706955e85ac9e4544d575d50e6eacd90ea3e49cb8b69da34fe0b621b04661f0b6f09f7ce8ceca50308c263d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-process-l1-1-0.dll

Filesize
19KB

MD5
595d79870970565be93db076afbe73b5

SHA1
ec96f7beeaec14d3b6c437b97b4a18a365534b9b

SHA256
fc50a37acc35345c99344042d7212a4ae88aa52a894cda3dcb9f6db46d852558

SHA512
152849840a584737858fc5e15f0d7802786e823a13ec5a9fc30ee032c7681deaf11c93a8cffead82dc5f73f0cd6f517f1e83b56d61d0e770cbb20e1cfff22840

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
8b9b0d1c8b0e9d4b576d42c66980977a

SHA1
a19acefa3f95d1b565650fdbc40ef98c793358e9

SHA256
371a44ab91614a8c26d159beb872a7b43f569cb5fac8ada99ace98f264a3b503

SHA512
4b1c5730a17118b7065fada3b36944fe4e0260f77676b84453ee5042f6f952a51fd99debca835066a6d5a61ba1c5e17247551340dd02d777a44bc1cae84e6b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
76e0a89c91a28cf7657779d998e679e5

SHA1
982b5da1c1f5b9d74af6243885bcba605d54df8c

SHA256
0189cbd84dea035763a7e52225e0f1a7dcec402734885413add324bffe688577

SHA512
d75d8798ea3c23b3998e8c3f19d0243a0c3a3262cffd8bcee0f0f0b75f0e990c9ce6644150d458e5702a8aa51b202734f7a9161e795f8121f061139ad2ea454f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
96da689947c6e215a009b9c1eca5aec2

SHA1
7f389e6f2d6e5beb2a3baf622a0c0ea24bc4de60

SHA256
885309eb86dccd8e234ba05e13fe0bf59ab3db388ebfbf6b4fd6162d8e287e82

SHA512
8e86fa66a939ff3274c2147463899df575030a575c8f01573c554b760a53b339127d0d967c8cf1d315428e16e470fa1cc9c2150bb40e9b980d4ebf32e226ee89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
6b33b34888ccecca636971fbea5e3de0

SHA1
ee815a158baacb357d9e074c0755b6f6c286b625

SHA256
00ac02d39b7b16406850e02ca4a6101f45d6f7b4397cc9e069f2ce800b8500b9

SHA512
f52a2141f34f93b45b90eb3bbcdb64871741f2bd5fed22eaaf35e90661e8a59eba7878524e30646206fc73920a188c070a38da9245e888c52d25e36980b35165

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
54f27114eb0fda1588362bb6b5567979

SHA1
eaa07829d012206ac55fb1af5cc6a35f341d22be

SHA256
984306a3547be2f48483d68d0466b21dda9db4be304bedc9ffdb953c26cac5a1

SHA512
18d2bdce558655f2088918241efdf9297dfe4a14a5d8d9c5be539334ae26a933b35543c9071cedada5a1bb7c2b20238e9d012e64eb5bbf24d0f6b0b726c0329d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\application.ini

Filesize
891B

MD5
65c93314ff59e946fcf1980a0cb894ee

SHA1
5a639ef6951cef21fbf7ed819448cf31b0eb7b6e

SHA256
a718d1ab9766addb92cd0f408a7f23bc464aca67885e73d84bc68aecc662f110

SHA512
874a2b222d40272b4fe630fc51dddbc064ee868a6aa002a321d01f468d4b4e367ea375042d930e2cf1d1b64704f950d73bfc36c37600ac808b3a1235e61b5a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\crashreporter.exe

Filesize
259KB

MD5
b51b916f41d0b0461b696b2609cad8bf

SHA1
e2bb091c6efd5e1086cf67286d996bf4084d5e25

SHA256
af1d2068c9fb1395b63307af34c3ef531561604169369071b52b89c721161200

SHA512
5009b7f98444c6d7adac89ddb66c00c250ed3add98496ca71b928e726723852f95bb48b0861696d4c18953b2c552ea1e4f6f755a7a8459f3161b733ccd1d7e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\crashreporter.ini

Filesize
3KB

MD5
1b0d446f9d17c1374c81acec9d8d2406

SHA1
016bca3d4ee9a0dbb4350ee7a1898779dced6c11

SHA256
a0cc8cc3287d54d7e23a156256a553792970df9ca57f6ad85dceed32b979da71

SHA512
4e7de92579628cf8c31287506d6f3096bb15402ee6d694a72462cbd1f093e7d04cbcc9e13691b94408091e0c5ea8d8c528365a90885b55a126416af37be6979a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\d3dcompiler_47.dll

Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\default-browser-agent.exe

Filesize
694KB

MD5
3df2cf9af849d2912dc1418ef8ab00b3

SHA1
363f09cdac986c9f8409b3ea42dc1f9a7eee2a7d

SHA256
6dd814441f932d3a20d5b274d54a8e165df828b183b034caa886565134f425e6

SHA512
b5fe71f2135de1cf159d3e72314985bec1289a89abdc17a3e917c987c39031bb55c293ff637b0c1e77a2e2923fcf70a053816a0bfe09c59c3d0224b0fba59d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\defaultagent.ini

Filesize
932B

MD5
88d7d32ad20bf89bb7785bd07c638e17

SHA1
2bd40f0b69c2edc64ab6b7e6dd2e7ca6a6fea6f6

SHA256
5cf0660a8f2624433c8c1022f93ff3c94c5611ccbc93118ee053566590eb53f4

SHA512
7bb3328ce42e7bb546a2192ade1e8e153408912f3582c27dc0c5cbe1c2d807365aaf4206c3ceab6cb3d6c34d3155125cb7509dbf800ecf70ab35f8a64f764010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\defaultagent_localized.ini

Filesize
1022B

MD5
dfa56f0760554fa9708e45248e6c576c

SHA1
f0976a4141e3dc15ba0ff9db6045b9dfbd2668e0

SHA256
8aa7e80abf76d1e81205a10d92373ef1029778b9ae9c15dd3ba758aa26e84d88

SHA512
ccc252daf5345da69530cf03da15c7634b89cc4fefaedfed5cf96f90c15f780f323f5c1155bddf2a4b0577a59404601ca5776ca9f0cfbfcf6cd91e5453cb6a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\dependentlibs.list

Filesize
446B

MD5
35da5601932b6ade92ec29951942ec1f

SHA1
4d0b52b709c3e25b50dd53dfab9337ef8958d1ca

SHA256
3da3fa240910cc0aed83b17a81c87251a6bc6cf5db5be9e71a3e01d7b7d88f86

SHA512
0bd4ae8932d6f2d7bb1655b13f66fc24a858a17993be9354921406e63372242661a3bb52010445173fb856d4e5f98fcfbd44a155fe0760feca8cc65bebd777c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\firefox.VisualElementsManifest.xml

Filesize
557B

MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\firefox.exe

Filesize
645KB

MD5
66a6b001d806d3117bba41dd55c08de0

SHA1
5539ebc8067d45f80744b22f498af8ed586287db

SHA256
0fc5fd25e5cb032af0e867b74ad8fcb3a0f5803f3c661e398d5a03448c5ca946

SHA512
0d80fe7456e609b921a7a97fdbea4805f2cda0df3dfe459338e62b78a5792ec38d506d5e50a65d2d70e5a6e6ed266832be6aface973d4f95eaff4c3c2a58e548

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\core\firefox.exe.sig

Filesize
1KB

MD5
5dfa706a4ee44be5e14785cb65126d62

SHA1
1961b8d26bd745b4bd3fbbd8432f0d6e4bd022ee

SHA256
15e9aa58c7aa9202c11b00afcc8d3b7276acc63ffd7c398453d2f1303cfec68c

SHA512
a41b436d5617560e062f6e4e0bd8a88f4a4952fb692ac51bac649a1b757b222d40af760543bea6bf8931f57f2a85a3a795ed417bee737a38ed93c6363c7e6330

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\setup.exe

Filesize
921KB

MD5
eab4d376a4d1c1045cf5afba3d4b85ea

SHA1
9c8ab74d563e9fa6ac516be00604645782fa662b

SHA256
07d33198586b9b268dc9236179d3e6a7560416126d9750003c73ef1d9bab8786

SHA512
09ffdb0aa19d64d13fc81dd7414bbe89aa0b3452dd4ad0de829442b71c823c01fb4975eaf76e8c888619425eec17acdd1e371ca8ce01c207db3bc7280923e75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC71910F6\setup.exe

Filesize
921KB

MD5
eab4d376a4d1c1045cf5afba3d4b85ea

SHA1
9c8ab74d563e9fa6ac516be00604645782fa662b

SHA256
07d33198586b9b268dc9236179d3e6a7560416126d9750003c73ef1d9bab8786

SHA512
09ffdb0aa19d64d13fc81dd7414bbe89aa0b3452dd4ad0de829442b71c823c01fb4975eaf76e8c888619425eec17acdd1e371ca8ce01c207db3bc7280923e75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuSHk1xOlbFPeqX.exe

Filesize
306KB

MD5
b1ec7bff4192f75a0a53608047a190e9

SHA1
7686a580333e8d60e1806418c8467e85beab4d2a

SHA256
134e9f12545c3300eedc7a5644c28f390e00918a15fbcf2143492810ab4a5474

SHA512
2af2d71ef3f292888adbe9836ae8bb3b1a8f99f4c95be0565515adf544c989e4ff722342721500b0aefc5f57178a1de9a916c4096c3f6722b42dcd0063cd6067

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuSHk1xOlbFPeqX.exe

Filesize
306KB

MD5
b1ec7bff4192f75a0a53608047a190e9

SHA1
7686a580333e8d60e1806418c8467e85beab4d2a

SHA256
134e9f12545c3300eedc7a5644c28f390e00918a15fbcf2143492810ab4a5474

SHA512
2af2d71ef3f292888adbe9836ae8bb3b1a8f99f4c95be0565515adf544c989e4ff722342721500b0aefc5f57178a1de9a916c4096c3f6722b42dcd0063cd6067

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\CertCheck.dll

Filesize
4KB

MD5
837429ef2393bd6f8d7ae6ab43669108

SHA1
bc1a6e461de60db2f3036778c761103c02374082

SHA256
9e1831bf44b75980903eff8446960f21ab323b9f8249ddb49519718d873135d5

SHA512
c9b464377720799030e7303ea98acd38dc56ef0ae613ec540a5d9907d84bb7c455f6e02b38073901ee717bfdbf92137ab095aa9ce047971b6a2e6d3bc9d039d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\CertCheck.dll

Filesize
4KB

MD5
837429ef2393bd6f8d7ae6ab43669108

SHA1
bc1a6e461de60db2f3036778c761103c02374082

SHA256
9e1831bf44b75980903eff8446960f21ab323b9f8249ddb49519718d873135d5

SHA512
c9b464377720799030e7303ea98acd38dc56ef0ae613ec540a5d9907d84bb7c455f6e02b38073901ee717bfdbf92137ab095aa9ce047971b6a2e6d3bc9d039d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\CertCheck.dll

Filesize
4KB

MD5
837429ef2393bd6f8d7ae6ab43669108

SHA1
bc1a6e461de60db2f3036778c761103c02374082

SHA256
9e1831bf44b75980903eff8446960f21ab323b9f8249ddb49519718d873135d5

SHA512
c9b464377720799030e7303ea98acd38dc56ef0ae613ec540a5d9907d84bb7c455f6e02b38073901ee717bfdbf92137ab095aa9ce047971b6a2e6d3bc9d039d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\CertCheck.dll

Filesize
4KB

MD5
837429ef2393bd6f8d7ae6ab43669108

SHA1
bc1a6e461de60db2f3036778c761103c02374082

SHA256
9e1831bf44b75980903eff8446960f21ab323b9f8249ddb49519718d873135d5

SHA512
c9b464377720799030e7303ea98acd38dc56ef0ae613ec540a5d9907d84bb7c455f6e02b38073901ee717bfdbf92137ab095aa9ce047971b6a2e6d3bc9d039d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\InetBgDL.dll

Filesize
33KB

MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\InetBgDL.dll

Filesize
33KB

MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\config.ini

Filesize
187B

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\download.exe

Filesize
55.1MB

MD5
972d126169dc323214a42d6c8e546188

SHA1
580c999b0611315fde1b757bbd1e6d1f03ac6056

SHA256
4248ad3423c70e44a619fb106d41982fa1bf6146a72af53465c9bcba7e33a4d2

SHA512
49a3d2e187e894a7aa23656b783c3be5e82196bd8394928e5fa5cb10ef60cf2d8c1b934208179a3035daf6d44a5f50405e683a2edaded97bbedf75e859c9f0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\download.exe

Filesize
55.1MB

MD5
972d126169dc323214a42d6c8e546188

SHA1
580c999b0611315fde1b757bbd1e6d1f03ac6056

SHA256
4248ad3423c70e44a619fb106d41982fa1bf6146a72af53465c9bcba7e33a4d2

SHA512
49a3d2e187e894a7aa23656b783c3be5e82196bd8394928e5fa5cb10ef60cf2d8c1b934208179a3035daf6d44a5f50405e683a2edaded97bbedf75e859c9f0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\nsDialogs.dll

Filesize
9KB

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\nsDialogs.dll

Filesize
9KB

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb714E.tmp\nsJSON.dll

Filesize
18KB

MD5
e89c7cd9336d61bb500ac3e581601878

SHA1
45b2563daa00ba1b747615c23c38ef04b95c5674

SHA256
431fc2ed27d0b7a1ce80de07989595effcc3ffb1dea1af6c0e178b53f6bd2f1e

SHA512
09485a354ac4ace6084cb6fcbd92eee8488074763c8443638f78e655e45e8aa0fe40a45d4ce0dff116ed3a4bb7bc4d7d845a6ccf0e0bf35533ce81626a8db06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso521.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso521.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
memory/1528-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-145-0x0000000002831000-0x0000000002835000-memory.dmp

Filesize
16KB

Download
memory/2036-153-0x0000000003111000-0x0000000003113000-memory.dmp

Filesize
8KB

Download
memory/2036-156-0x0000000003120000-0x000000000312B000-memory.dmp

Filesize
44KB

Download
memory/2036-157-0x0000000003121000-0x0000000003127000-memory.dmp

Filesize
24KB

Download
memory/4476-166-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download