Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-sl87vsdf89
Target e2d1fda785669f8fb843491a5c110efc_JaffaCakes118
SHA256 e93ff48a56b972395fae83b84f2d8ad1ae60864cff663813ae22ecee5f2baae5
Tags
upx persistence spyware stealer discovery evasion trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e93ff48a56b972395fae83b84f2d8ad1ae60864cff663813ae22ecee5f2baae5

Threat Level: Likely malicious

The file e2d1fda785669f8fb843491a5c110efc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx persistence spyware stealer discovery evasion trojan

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 15:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 15:13

Reported

2024-04-06 15:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsd4CBE.tmp C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nso4CAC.tmp C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozglue.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsd4CBC.tmp C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\omni.ja C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\locale.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsd4CBD.tmp\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\tobedeleted\ C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\softokn3.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsd4CBD.tmp C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\qipcap64.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\tobedeleted\nsd9069.tmp C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418578361" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02a5e433588da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c2306770000000002000000000010660000000100002000000030276504c73d97675ba00db122f261d106388661394f0bd2609b6222c7a39bff000000000e800000000200002000000023ab756c0368bef2e784bab2972d6a5f7ce6ef392f6a9ef7327fdff38448abac900000006ac15bc3cb49650533b89065da6cbe2d4703dbf1bd3a03d17840e6a85f05634cce259260d044b8eebb31e089ac0cdae59682390c38c0d265f7039970c2fec7c90638a4aef79874c72f61ac47438404baab6325a39a2d76fddf59d48b7eb8b905f8647be5055a92b0c444861e38dbd6179692a7a93dfab9297f18dca4e405b68acda914500f54b7f10923d38a90c9b688400000002644a336f161b3e57e3ec89b7331b7deb580f420fdd0af2d87b2c06fb08d84cd02af59e929c557ad7f83ad70acb896bbd5465589362fa51ef902e0ca29a4e3ff C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6AFE9B21-F428-11EE-8059-CEEE273A2359} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000d454e907ddb3a90e5d0a592b34e42c4e13b4260a04c4f392d901ec77dc1148bf000000000e80000000020000200000009de5f18afe24fb348bbb1ef0cc0f10a982346c3a48ca80be6f4ac0639cd9ec91200000008f04fc3e666bfe01b4afd5e69e3a30da692b6e60eec3ac96a702a71d6fdef59140000000c912c9d2935f457314c435e51e7bb3e94aa454dc1f479e82ef65e16720c314e05acc6e86fed9c6d007a8ac3f76a600ad413e9f64be15e0719921eca470f5a7db C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe
PID 2196 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe
PID 2196 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 2196 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 2196 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 2196 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 1692 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe C:\Windows\CTS.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 2648 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 1608 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2676 wrote to memory of 2568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe

C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe

.\setup-stub.exe

C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe

C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe

"C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\config.ini

C:\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe

.\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\config.ini

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.mozilla.org udp
US 44.209.165.254:443 download.mozilla.org tcp
US 8.8.8.8:53 download-installer.cdn.mozilla.net udp
US 34.117.35.28:443 download-installer.cdn.mozilla.net tcp
US 8.8.8.8:53 www.mozilla.org udp
ES 18.154.37.188:443 www.mozilla.org tcp
ES 18.154.37.188:443 www.mozilla.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
ES 18.154.37.188:443 www.mozilla.org tcp
ES 18.154.37.188:443 www.mozilla.org tcp
ES 18.154.37.188:443 www.mozilla.org tcp
ES 18.154.37.188:443 www.mozilla.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2196-0-0x0000000001380000-0x0000000001397000-memory.dmp

memory/2196-11-0x0000000001380000-0x0000000001397000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\me6Mjo0ObYorpyb.exe

MD5 78275c405670e0d9dd16481f26f5355c
SHA1 8581c6e6e7f239dbbba5083c65a76b3893515e3b
SHA256 0d5d6ea5c85bce2ae1e9dd5a777a35cfe21e9f9526630d13cf1795c4fb32eeda
SHA512 7cf9c4aa805cc0f161200e1e71f09eeb525d03d57f550062c880d63c13f7fd616613ab3630c7ba28cc84141390e55eb45bdde8e757c9fd29bbe8ddbcfe3a2d35

memory/2196-4-0x0000000000260000-0x00000000002A6000-memory.dmp

memory/2196-14-0x0000000001060000-0x0000000001077000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1692-17-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2892-20-0x0000000001060000-0x0000000001077000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe

MD5 adb824f8f58ed0388893da04f9a1b57a
SHA1 bb264f2110211abfb3cf33054b6c9f41df27b190
SHA256 4359be2767eb11a1ae7387947c6542dfc5c5676fbf38ad8339f506b62843ae94
SHA512 be24cb9ff23eeee96158df3b3727b2c9a8ac0bddc344d17930badad2b233251d9bfea393d84cddbe5ea519c1a5f88cec06068e96db4094f922ce64dfe9b87e24

C:\Users\Admin\AppData\Local\Temp\7zSC96E2666\setup-stub.exe

MD5 5aa572fb0291f7502da43467e0c56243
SHA1 a0675c785d8c2ecde47c5cccf958898048fe3cc2
SHA256 f367ce14664eb7f07e6cf99853697209f7c1abf470c501b30efae78c0281e5c3
SHA512 16c3c0638b5ef21b3bfb84994365be3db3cea9ea6e4c8f04370e1ee2746b22c9ad3cf3ba6437e283a44285de46c67082fae6b6b2b4f747a05f470b2d3ed9c2b5

memory/1692-27-0x00000000002B0000-0x00000000002C7000-memory.dmp

memory/2068-29-0x0000000001060000-0x0000000001077000-memory.dmp

memory/2068-32-0x0000000000020000-0x0000000000037000-memory.dmp

memory/2068-34-0x0000000000020000-0x0000000000037000-memory.dmp

memory/2068-35-0x0000000000020000-0x0000000000037000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1XP9sIAGVJbevop.exe

MD5 5e8603920f9fd39ecede163aab0c53c7
SHA1 1f686ce223269087e4b036e8fdfd9214d9b8911f
SHA256 f3a9cdd9ff511cd504bc5ca96e280bbc166fa1d87e749a86a5d73d05cdd1f879
SHA512 935b7e57fa7f2798f0ba1b9a0481a43ae60339886462c9010328335e833207755046449dd97885df86ac8d4d46f471d557ea4585223765120b9401b57bf04705

memory/1692-50-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2520-48-0x0000000001060000-0x0000000001077000-memory.dmp

memory/2068-42-0x0000000001060000-0x0000000001077000-memory.dmp

memory/2068-41-0x0000000000140000-0x0000000000157000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\System.dll

MD5 17ed1c86bd67e78ade4712be48a7d2bd
SHA1 1cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256 bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA512 0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\UAC.dll

MD5 113c5f02686d865bc9e8332350274fd1
SHA1 4fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA256 0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512 e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\UserInfo.dll

MD5 1b446b36f5b4022d50ffdc0cf567b24a
SHA1 d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9
SHA256 2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922
SHA512 04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

memory/2648-76-0x0000000000590000-0x000000000059F000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\CityHash.dll

MD5 737379945745bb94f8a0dadcc18cad8d
SHA1 6a1f497b4dc007f5935b66ec83b00e5a394332c6
SHA256 d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
SHA512 c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\nsDialogs.dll

MD5 42b064366f780c1f298fa3cb3aeae260
SHA1 5b0349db73c43f35227b252b9aa6555f5ede9015
SHA256 c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab
SHA512 50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\InetBgDL.dll

MD5 d4f7b4f9c296308e03a55cb0896a92fc
SHA1 63065bed300926a5b39eabf6efdf9296ed46e0cc
SHA256 6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83
SHA512 d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

memory/2196-114-0x0000000001060000-0x0000000001077000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\CertCheck.dll

MD5 2979f933cbbac19cfe35b1fa02cc95a4
SHA1 4f208c9c12199491d7ba3c1ee640fca615e11e92
SHA256 bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f
SHA512 61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

C:\Users\Admin\AppData\Local\Temp\Cab8E05.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\download.exe

MD5 1e27e7745bba839a11fde43ee09614fb
SHA1 8ea7d0013e5f4327adef0384427f14adf8d2e9e6
SHA256 3d60842520fdca462a8c9e3c998eb2e3a267dc801af1100953910038b0da0906
SHA512 bce358d57a36bc1d9326f944b7aa3b3f59c3174b8a5d4c7e2ee7b4fe90b1ac3cfb49e79ffb68564359680f6920cf32ac889252aff2a13424bc252d412504f40e

C:\Users\Admin\AppData\Local\Temp\nsi4C3D.tmp\config.ini

MD5 ed23468cb20f1f37a967eb26f639faef
SHA1 5707e3d394b6a3e36e8b1e23317ec115bafa1e9c
SHA256 812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913
SHA512 9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

memory/2648-159-0x0000000003710000-0x0000000003756000-memory.dmp

memory/2520-165-0x0000000001060000-0x0000000001077000-memory.dmp

memory/1608-176-0x0000000000240000-0x0000000000286000-memory.dmp

memory/1608-194-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2648-246-0x0000000003710000-0x0000000003756000-memory.dmp

memory/1608-297-0x0000000000240000-0x0000000000286000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8464AEB6\setup.exe

MD5 43947976824aa63f057de1ac7a99c377
SHA1 5f6d978b9bd3ad7e435848090d7d53e27edcf66a
SHA256 c57ccd8514fe77530c62f67b5a069afb0a912a11892e890dccfdb5a64b1f9531
SHA512 2c812802b5c1150c406e8dae2857d13783f8aeaf2a29acdc65f8d86ba1f3e0f9164823a414a868b51a98f94f41f784659b39c0d9451deae756f93af144134ada

\Users\Admin\AppData\Local\Temp\nsoFAA5.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

memory/1608-384-0x0000000000240000-0x000000000024D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar1191.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\Cab117E.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aebc25814310b7546a60365999001a4e
SHA1 3f9b0c8d97f0da2a472a90a0cc67bcf1c756bec9
SHA256 65cb09be353db6324fc4fa1a0f867aedfb7c861f8b1969c08f7062dbfecd1397
SHA512 c648c0fc9980562549bc9fdb6407325030ef6a5dbb91e5f71438db126d4f9fd8516893e92dd683e29534beb3bb893b190b57b8635419b174669ca5a22690349e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 233b87f19a5f0e36b43c03c8a4948ec0
SHA1 e43a5d5fbf0605175bb82c981bc0d45e5c13af6a
SHA256 2682266ce41964975cce46999e8aa610b898fba51a93a2a645785c797d97e0f2
SHA512 08f89e371f20855f065f94d51ebbd2e46ce1d888a0a0ed94c9087774cc9090b8620ac8a434ab1af2754c71b5af7e74b5fb43dc59d19275af6213d612afb25cf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d3e08245ec9b8987b8e94dd1cd57715
SHA1 14d593d0b2b6e6ab15708be048097faf23fc40c6
SHA256 d96a3e8c6be05dad05273c2f40bee2bf075cf2735814ede276dd326051d1a26d
SHA512 2a9ff25f8e58fc56ef792aac492746b42316ea186c559d4c94c7979c3f3291c67c4f2ede35bea73c70146649b27c8d421c4a8c4502c1d0ef068f971eedbe3743

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\favicon-196x196.59e3822720be[1].png

MD5 59e3822720bedcc45ca5e6e6d3220ea9
SHA1 8daf0eb5833154557561c419b5e44bbc6dcc70ee
SHA256 1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805
SHA512 5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\60nmxlj\imagestore.dat

MD5 58a3964f08ddc05bddc4982091830da5
SHA1 9ae52bcf579d9d1f8a8e16aedc4abd356a2f5eb7
SHA256 c64c79db16258532d3ec5c28d6965d961fe0202b1ab99a58375a7888ff33dcc0
SHA512 ce34908adc92429f583ed40e143f1e404e03f948ca7bcc02b4dc892a6223557894a31bc579a8923f0c016bde030b4d1d68e2301693e9b112a778c9ad46a8dc8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8e461cd508b513c2d20410e6198847c
SHA1 88f533a548a78eab58f87e170bb70d20feffb6f1
SHA256 b38b4ce8bbf8b293f9c1d6699229e3e50b7b1203a694e31aa801cbb08c8b7850
SHA512 79af3926ad9f9864040725adba5126d6bde854c28eb3c9d55671076eb5e2644374790fa68aedd2d0be51f550094ce927622323c351a9e46c3d84825de8a775da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ecf62f63e6f6f79184d2358585eb93d
SHA1 18dd20f708ff5f0bce40b011e961aa0cd1753d94
SHA256 b8d0107bf9eb2225ddd95430d641b78b3f17a3df3f1b441433f1a119813172d6
SHA512 85cba22c9bfe0a6d4f449681a5360edbc79a59fc75a34c98944340f88eff974d9debbe812c1ad7ee14e8c27c7775cbfa281fa85ecd24391fe6f46562561ba2d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20ebbb6813dde7edb84aeecbe9e3ea99
SHA1 10baaa8e2c91b073108c6bb35fa979edf079bb40
SHA256 bde19fec953a7e61cf23e0da483a1129ee9885606d9f3939841cf78815784d9c
SHA512 b4775ffb6504d16138f071aa4f3f5d1dc119bc1f4c4d164ac75ba518ab1295f676ef9ec9f74183d80ec01e47d5aa3922888c0d7463104b5a7430294aae1c8e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa12d3dd0326b62839dde564942a223e
SHA1 365d034315f6e2d390a2cf42109abf0ba477f4f4
SHA256 9e92192601cdd41c4ad0caafca4d27634eee39c22feb5e49c2d4349b970a637d
SHA512 c9ac7ffd8aaacbdbd1e4fd0f0731a653334b5130c4b4c5488dda5f1e951e9f4c6788e9c7db3b4daeda314cb3aad34dce98a614f6d8b7fe12e1279cd9b4ee951f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 328ff7127642473e0c4d4b1d08916ff1
SHA1 6665bad071c92f22b3fb98d34425707379867e70
SHA256 578c9d058c6c6d270e8e90f6221e0235506a359173e20313a22a6f139f8c6084
SHA512 26eb22926560884e2d2dbf65bab4e90b2a6e51c8c6e9605b0620c727682a6948171ea6ee07a786a22b48bd471aedb4707ed1424a8132a1f6a0a9161b27bad24d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e70352b7d1c338ae441d823d3f6db36b
SHA1 d03835e9b6f26c582941db4bc26afd3a2270fdd3
SHA256 8981ba0f5c7d5d9269b29237b57375ecdb80b864adc38fd5a99f01e67985ff0a
SHA512 c7de7152ef377f5b231d02512248f8d2f3f4011a84353073b856e17df2116cfc26b52447e2bd069b6f3ceb6943fb0988bd9889d73cec07d59e36fc203fed8040

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5237f14c12f3d2a0c2c99547b1a1c2d0
SHA1 0866c984473f0097c8195b5a3ce192e47fa7f7a6
SHA256 873ebebf8a8c6673f4b793784758a96a1ddba4bbb73d8139636dab3a5bf1bd14
SHA512 a88aaa489bb736fb315575fb7013be805cb2269931bd1faf8d322b129f2869a1249f103eb167ff0d910673f0398e631a5d0185ad7289bf957cb317f99996942b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27d38cab2daeb32d44c373d678316f63
SHA1 a87cdc650f996219ad1437a5fceff101513c8f2f
SHA256 98f58e704a6a96b436474fcef6a7a48785cd3c2af3e70d3f3a06953b687bde32
SHA512 cb33fd9e3847f1009c6f3f7b25de9a5accff86f5669164c22ab48c506d190650c533422e613d2030f8f20e2cae5afbe09c17a56c43700c570f630e1043b0d418

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 c26da2d1b231266a9f5a28eb7db561db
SHA1 d079c96e775116130942e195fb82dd2d61303b47
SHA256 96748e92d588171886d3594523e9e1df14cb8664d3b9b8db5a49c72829f5c482
SHA512 25eabaf36dddc853cfc7911e27458185a0f50aedf9ba732c298bd0f5e983c2ecd69f8f77caf98edd665a87637e6a15126766f180686de6bba7d8eae48a7ccd72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83c8c221194934d6ea3f7f4f8ce7af05
SHA1 ec5286cdf40c6eb44abbc71bb20a505aa3654dd0
SHA256 e4f2d7945663b08fd2697662ef2d86922c9b9e4d3e966e7a77d6aac12e63c5ad
SHA512 fb1339b14423b62dd6e0626444f73790a29a5b1273468fde4705f3e1c95fe75a5433170c92514b15e82538329da971267f33143d44a969476f415a150699778b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3ae01630b9fc7b16b9a8c7b208fded2
SHA1 9e8bacdbc755b12181a912e329bdfe20eae91a3e
SHA256 d5831de1957c0321ff00bd2f83944dcd3217077e37c6cc027a450a60689f8c0f
SHA512 8108e2af2a440aef07439ae746ee610264f5486f0bb6894b70b048661fba8b8baaa863f453a7d6325c337952d36e61cac41703d6982f088faaeb66c0bb6b201f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e98d523fc06d5bfc2ba79a8111f5c33d
SHA1 9d12dc65cebcd9de3aa40b28afdb3e7d0b795d98
SHA256 2e969814389fd8c38874c9669d0e526f1f9c7d4faef24fadf6b159bb5c4427c5
SHA512 767b25e283e03e3ebb2e94fcd3d59f547b63c512b4facb48b6eed0adcbb1bf4f771719867c3af73431bdca9c09aa4c052f774bb4f152fafbcf37bbbec2e4f0e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a93da1366f1db1d85eccfc14b8214b7
SHA1 fda33679b065233b31fdc505dc008aa7217c5cb9
SHA256 c2afca0d531250b8d941b750e46d4f5428141bbac259acd9d59f8f0c6cd42e36
SHA512 e46e050f71446a4e38be1834f28cd292ad365d59a38a0c437f738c974d33a19784adebdf8b2ff0f601d4e11a45caa445e52a53c7cf256a818046a0d17c50fcd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b274e709f390e6e9fab9eee3a065710c
SHA1 4221c18184535d6cef667d486a1fca7e771485bc
SHA256 32906e1f28768999719a5757977f4fcc1ca995de64f4f27278d524a20257bd50
SHA512 8032e9e71aff62458978dbdd2ae66c220c4b9e942c17d6daf16ea19f0d3670df540f462dc3ea92c7c2207efee811c9cdcbf3cf4f8a3b474092fe9d3fa1d0d661

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfcaa6e963ba55b4ba86ec3919f20f8a
SHA1 ed6395218ef038f3ddd8293b3f4757476169f75d
SHA256 bf1ad27b657904bf7c08092c3ee2b8410d945d3dd304eeb20540a06206caf989
SHA512 61ce999e36b1c88b495e3de8ecac979c9b7e9403aea584644266cce90ad76994a8fde38ec9c3f195ddc98c7fccbe07f9b7a1d8d1cd8e1f0e058ea7c34b2d9cc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ebe074149267bc849236d8a6a9c602d
SHA1 a8aa2e6ab5ddd59e0be6053985da78e3241f7ef4
SHA256 9cf2d8335cf53bc3f3360098b1c4f815203915a484bfde84f94aadab73116be5
SHA512 f69a1fd4a37478e2b418daee2fdc9d9dd1112c4349bfe5cf81575055756df0a510e6c00e4dac570b1978d9f610d1675eeb9350dd5895200b0b75a56023b1c97c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb87f332e1733aea1dd6751a81087b03
SHA1 0cbab4343a051fbf6ee600ca5e80bf837f739923
SHA256 05c98587f4ad78daecf78da01ed1fd6abca5e056091e75cb1903eb55f1ea424c
SHA512 82d41a881c978c02eb7c02bc2914556e0de14a7732e7cf6d039542b4af773a1ddabb8979eac78807eb0301f04fc5406828bdd9a5f57dc2c28ca56d80052be511

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e94fe798d27d91cf372d78673188eb5
SHA1 f1c862b0f465f163c772cf1005f26b563f60e8c5
SHA256 38123618445a203f53875e7961d72c7a6f25b7f486f1bd169ec22f518b2b3c78
SHA512 2846bd709d975c0f79be5d576d93b25a3b59a23e35a6eeaf0b50d4cfaf979a108a5b034a7c23ffa9c40ca2d75e9bdcea4c18aaeaeb2e35b3e10b21c026d59fd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b57490106f632ac2f2a8b8fe661f5258
SHA1 6675b04d0fd8706e8606548a0d5bb50513bd1d14
SHA256 86683109b3e41d48fb5f3148c66374665fab1c03b3d744d755c0c1c0180b5d47
SHA512 6175bd880f35afdc04b9ee143f7883851070e902fcf2db3166c448058c4f616313941d43b4a9dcaa40bccf0773a6101f1cdcc44b3a9d56fd1b995b341a28a574

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df4c0ed6e597303e98e8eeff1403be3e
SHA1 4eba9484bc909b646bbb7f74a162eb6af5b169bc
SHA256 12b0425026df36ea54c23decbc9225b2888c1ef4cf75bc343b589a1d10e2791d
SHA512 eb8f7986c6060830f8fbac29cef5fd1131bb84c3ec6640de85d83811cd1550cfd56c916ef7f3d084a1088f1af3e74aa435fc96710d025225247dd8985ad5f859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faec08626f6ec14bec7c5626d145e2a5
SHA1 88f8ad92fd32f63ae7342708151a6b30cc06590d
SHA256 71d63e5f5f1eac3f9bc4f4c7b600b0e59fb609c27d8614441b7f051d1babac6b
SHA512 be4f3997fb71371c967c77dc10c04bb4848e00a6d80280bebf6d71cd4b1bf9485bd95705d6ed6c5a076593619c6ca7b317315074debc702c4fa82412677f529f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64e0062420874357725aa52a9ac85b7f
SHA1 efd94e6bd8a7796ea8b0c396506f4a36c373a3dd
SHA256 27a8a789045503f5c02485ea9e9b73d34760959b1fb1b1ab523ed681c6adaf0e
SHA512 46b3092d64d34fd36643ad6bd623ac842dd13c5fc083e2f956df08b1cd6cafaa0df0cb3305f630e3aa5a9b7696c1ba6ba0f39ac31bf5c43d223660f7fc7a421d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 15:13

Reported

2024-04-06 15:16

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files\Mozilla Firefox\firefox.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\default-browser-agent.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\default-browser-agent.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\default-browser-agent.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\default-browser-agent.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{60DE6416-DFC4-4406-B932-C9EA8CDC511C}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60DE6416-DFC4-4406-B932-C9EA8CDC511C}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\notificationserver.dll" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\firefox.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\ C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\ C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File created C:\Program Files\Mozilla Firefox\xul.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\vcruntime140_1.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\freebl3.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.ini C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File created C:\Program Files\Mozilla Firefox\mozavcodec.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File created C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\libEGL.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File created C:\Program Files\Mozilla Firefox\locale.ini C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\installation_telemetry.json C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File created C:\Program Files\Mozilla Firefox\application.ini C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\ C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\ C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\uninstall.log C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\wmfclearkey.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\ C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File created C:\Program Files\Mozilla Firefox\updater.ini C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nst359C.tmp C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\omni.ja C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozglue.dll C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\ C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\ C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\libEGL.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
File created C:\Program Files\Mozilla Firefox\notificationserver.dll C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Colors C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Colors C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Colors C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox-private\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{60DE6416-DFC4-4406-B932-C9EA8CDC511C} C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec\ C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox-private\ = "Firefox Private Browsing Protocol" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ = "ISimpleDOMText" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\shell\open\command C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{60DE6416-DFC4-4406-B932-C9EA8CDC511C} C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\URL Protocol C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox-private\shell C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox-private\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -private-window \"%1\"" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\ C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\FirefoxPDF-308046B0AF4A39CB C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\EditFlags = "2" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\shell\open\ddeexec\ C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXHTML-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\ = "Firefox Browsing Protocol" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_CLASSES\FIREFOXPDF-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Interface C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox-private\EditFlags = "2" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,0" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\firefox\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60DE6416-DFC4-4406-B932-C9EA8CDC511C}\AppID = "{60DE6416-DFC4-4406-B932-C9EA8CDC511C}" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\CustomActivator = "{60DE6416-DFC4-4406-B932-C9EA8CDC511C}" C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\ C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe
PID 1544 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe
PID 1544 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe
PID 1544 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1544 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1544 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe C:\Windows\CTS.exe
PID 3396 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe
PID 3396 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe
PID 3396 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe
PID 1452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe
PID 1452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe
PID 1452 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe
PID 4936 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe
PID 4936 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe
PID 4936 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe
PID 1284 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Windows\system32\regsvr32.exe
PID 1284 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Windows\system32\regsvr32.exe
PID 1284 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
PID 1284 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
PID 1284 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
PID 3308 wrote to memory of 536 N/A C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
PID 3308 wrote to memory of 536 N/A C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
PID 1284 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\default-browser-agent.exe
PID 1284 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\default-browser-agent.exe
PID 2124 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2124 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1868 wrote to memory of 5016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1284 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1284 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3564 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1452 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1452 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4092 wrote to memory of 4724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4724 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2d1fda785669f8fb843491a5c110efc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe

C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe

.\setup-stub.exe

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe

"C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\config.ini

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe

.\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\config.ini

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"

C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe

"C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -first-startup

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2328 -parentBuildID 20240401114208 -prefsHandle 1840 -prefMapHandle 1836 -prefsLen 23610 -prefMapSize 244606 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9d7c4af-bd5a-437c-bcde-b587fc25166b} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2628 -parentBuildID 20240401114208 -prefsHandle 2620 -prefMapHandle 2616 -prefsLen 23610 -prefMapSize 244606 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {888f49cf-5f92-41c3-8c20-ca0cfd85bf77} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 1 -isForBrowser -prefsHandle 1256 -prefMapHandle 1740 -prefsLen 21630 -prefMapSize 244606 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54c93970-ddc6-4bfb-85c8-67bfd11f3131} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 3216 -prefsLen 23791 -prefMapSize 244606 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d7af4e0-c5af-45e3-ac83-b92da229a604} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 3 -isForBrowser -prefsHandle 3916 -prefMapHandle 3332 -prefsLen 24751 -prefMapSize 244606 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2202902a-f874-4baa-adc6-90feee3d604f} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29225 -prefMapSize 244606 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {020ec1e3-89d5-47ac-85c0-4c91ca1ffc43} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20240401114208 -prefsHandle 5140 -prefMapHandle 5132 -prefsLen 29225 -prefMapSize 244606 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ace6deea-5392-4adf-a1de-35f8ad7ed346} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 4 -isForBrowser -prefsHandle 2980 -prefMapHandle 3060 -prefsLen 27273 -prefMapSize 244606 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20b7ddc3-be47-4a42-bca3-905ff5881cf4} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5808 -prefsLen 27273 -prefMapSize 244606 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c72e4c8f-c379-4b3b-9a46-ea178bbc8b8a} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 6 -isForBrowser -prefsHandle 5632 -prefMapHandle 3188 -prefsLen 27273 -prefMapSize 244606 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a754e4b-4a65-483c-89c6-0669d7be37fb} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 product-details.mozilla.org udp
ES 18.154.41.122:443 product-details.mozilla.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 122.41.154.18.in-addr.arpa udp
US 8.8.8.8:53 222.122.157.108.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 download.mozilla.org udp
US 52.55.189.209:443 download.mozilla.org tcp
US 8.8.8.8:53 224.244.67.18.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 download-installer.cdn.mozilla.net udp
US 34.117.35.28:443 download-installer.cdn.mozilla.net tcp
US 8.8.8.8:53 209.189.55.52.in-addr.arpa udp
US 8.8.8.8:53 29.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 28.35.117.34.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 download-stats.mozilla.org udp
US 34.120.208.123:80 download-stats.mozilla.org tcp
US 8.8.8.8:53 123.208.120.34.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 44.239.148.246:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 246.148.239.44.in-addr.arpa udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:49723 tcp
N/A 127.0.0.1:49857 tcp
N/A 127.0.0.1:49991 tcp
N/A 127.0.0.1:50004 tcp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.186.142:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.186.142:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6n6s.gvt1.com udp
GB 173.194.3.70:443 r1---sn-aigl6n6s.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6n6s.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6n6s.gvt1.com udp
GB 173.194.3.70:443 r1.sn-aigl6n6s.gvt1.com udp
US 8.8.8.8:53 142.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 70.3.194.173.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 52.24.13.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 216.13.24.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1544-0-0x00000000002B0000-0x00000000002C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CmLZ31nLwyihOpo.exe

MD5 78275c405670e0d9dd16481f26f5355c
SHA1 8581c6e6e7f239dbbba5083c65a76b3893515e3b
SHA256 0d5d6ea5c85bce2ae1e9dd5a777a35cfe21e9f9526630d13cf1795c4fb32eeda
SHA512 7cf9c4aa805cc0f161200e1e71f09eeb525d03d57f550062c880d63c13f7fd616613ab3630c7ba28cc84141390e55eb45bdde8e757c9fd29bbe8ddbcfe3a2d35

memory/3396-7-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1544-10-0x00000000002B0000-0x00000000002C7000-memory.dmp

memory/4152-11-0x0000000000900000-0x0000000000917000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 06c439da0a9a5e8caa51e5ea62fe05f9
SHA1 793c6e3d568b738f01c09ef15a1c74c5820c76da
SHA256 b6770e810f5cd96d83e7042c551df1132087b4cb2f97ddb37e5ec04475c52cb8
SHA512 361a7ed33b9d059033ffce6958d95c8436b305555a96cfaa4d86809c304e5615dff537ae89cfd22919eb2ddee67b341376d730e146fcebacc75ac69c3ae659c7

C:\Users\Admin\AppData\Local\Temp\7zS44D41F37\setup-stub.exe

MD5 5e8603920f9fd39ecede163aab0c53c7
SHA1 1f686ce223269087e4b036e8fdfd9214d9b8911f
SHA256 f3a9cdd9ff511cd504bc5ca96e280bbc166fa1d87e749a86a5d73d05cdd1f879
SHA512 935b7e57fa7f2798f0ba1b9a0481a43ae60339886462c9010328335e833207755046449dd97885df86ac8d4d46f471d557ea4585223765120b9401b57bf04705

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\System.dll

MD5 17ed1c86bd67e78ade4712be48a7d2bd
SHA1 1cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256 bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA512 0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\UserInfo.dll

MD5 1b446b36f5b4022d50ffdc0cf567b24a
SHA1 d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9
SHA256 2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922
SHA512 04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\UAC.dll

MD5 113c5f02686d865bc9e8332350274fd1
SHA1 4fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA256 0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512 e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

memory/1452-62-0x0000000002540000-0x000000000254F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\CityHash.dll

MD5 737379945745bb94f8a0dadcc18cad8d
SHA1 6a1f497b4dc007f5935b66ec83b00e5a394332c6
SHA256 d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
SHA512 c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\InetBgDL.dll

MD5 d4f7b4f9c296308e03a55cb0896a92fc
SHA1 63065bed300926a5b39eabf6efdf9296ed46e0cc
SHA256 6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83
SHA512 d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\nsDialogs.dll

MD5 42b064366f780c1f298fa3cb3aeae260
SHA1 5b0349db73c43f35227b252b9aa6555f5ede9015
SHA256 c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab
SHA512 50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\CertCheck.dll

MD5 2979f933cbbac19cfe35b1fa02cc95a4
SHA1 4f208c9c12199491d7ba3c1ee640fca615e11e92
SHA256 bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f
SHA512 61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\download.exe

MD5 8004042f7b49322c7d9d051c80ba6dfb
SHA1 f74650fe271fdc0242c19c45c38c8613e597db77
SHA256 f090a655e4973acfa991963694fdacc10547c668b44694aee8664eea24941b67
SHA512 fc7a5940a0a32ac9fc45771f57e709c3180f3985d59b639b330d458cbccf829b03c3fdeb0015f43ce52605002498a76dbef2e97001b113d6651e779d653f9ea5

memory/3396-128-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4936-155-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\setup.exe

MD5 438e90694f02ad259acaf8774d8f044b
SHA1 0eb161320a765ee7a4ae14faab38d2a88bb34039
SHA256 7ea16cb69f17c122427481efd1a09249ccd789caa070fd354c56a25783fceb12
SHA512 ad2f4e4391c6e709907f15e326dd88f059e66c5ec3ff1eb902177547b378ea28f4d58eeb9feda1b24901b36e8cc016badefe436ab8dfa6d778a095dc4ee5c194

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\config.ini

MD5 ed23468cb20f1f37a967eb26f639faef
SHA1 5707e3d394b6a3e36e8b1e23317ec115bafa1e9c
SHA256 812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913
SHA512 9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\UAC.dll

MD5 d23b256e9c12fe37d984bae5017c5f8c
SHA1 fd698b58a563816b2260bbc50d7f864b33523121
SHA256 ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c
SHA512 13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\components.ini

MD5 c9b5d86a9a0f014293b24a0922837564
SHA1 3cc73b4a30a1a0bfdc6812bbd17994f53eb5db2a
SHA256 775c85f3552754ad3794b88c0cb6d6fc43d412cd9a87a4b9e847386a5bd0a9c4
SHA512 790f365afbe4c5a37dbb56443d38f0c439eadca002e4001d373d6db8c1d80c4adacf3749e9d210cd0316381682fbbc46616a3fa36581c7ea6f5ce69119944b62

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\options.ini

MD5 f50ac2442dddb1ec2bd0dd5410fcfbb4
SHA1 13a4a1dbd6cad83aa6e5d9043b6d98e1bf4ec371
SHA256 89b31e3fe0c4390d252a686512bacec6f53e3f4da6d1f12bca2866d4ba37d021
SHA512 697bad94809681055d19fb03f8979c79bb948bd01888392a0fff37b30fc87f965e7f716c0c28de6df6746518a5d5c26006e3a313eecbc6f8bdbed25d39d6f8a2

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\shortcuts.ini

MD5 71851e095439dfcac9099254c0881673
SHA1 d31c9dfade1d31b937872dd6a8761c4c117ef588
SHA256 97ef03760837f339242d39927e0f9fa046669ed66b9a413b853ea8b6450ebfc4
SHA512 1025ff9cfed7f064670b43b401f80a2a805354cdd0f3a348c3935e15e08d67d9fb05d028b259a66003403425d842d5f10aa88e9bb57563765cecb91e85ab6c18

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\defaultagent.ini

MD5 7a84fd3929948b8c43fa5fdfbf59c64e
SHA1 fb1ce51832cced529f785b8b4a0a6d631625abaa
SHA256 814f2e58ec2f5f33bbf365f743db28022bd141870b95febf87c0fa042b819106
SHA512 abe1f6d86bd835940f5e1cda1a7872ba27fe9be48dd53965fd9b8f5f96e1aabc0f8f931c04bb9fc7b0ac11b83cfd4661b67293025485c9cc09df0b171afeb806

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\lgpllibs.dll

MD5 acc604c38015a9506ecd36c535222306
SHA1 cb6ea3f2b27d0671b3aee0976c0349f618b57165
SHA256 f2aa7dde0f7178d2fc4684b3aba0489dc6e02cd385c070fa4c1024eb721f187b
SHA512 f56bb190b5f01624a434ee8a891b41df64c2667b7b8b5e4d219784ef1ff70f79b17e3cf00fca8822edb86ab062e4bb21391370826fa77157094fe2e9c35614b0

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\removed-files

MD5 fefbfac37461bd30e05f5befaa1f7705
SHA1 74f9024662db06184e645cab76bfecb0e6897545
SHA256 52523da24287c4d459131c2e4818a713a732765e06e9bbba1cf353888ba34f9f
SHA512 874d6bdef28dea531c858443810d0b026a3a5667e0b9985bce84b7c5ab63d06a015487bd1da2a914d28af7b6568335b1927f9fb9656715947929cd6671ccc4b7

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\private_browsing.VisualElementsManifest.xml

MD5 b499ede5c9228c742578086591193efe
SHA1 18e682ec73ed8fcea99893142fa8b08ee8a32b72
SHA256 9ea86a18d41112e25b17454044ac29b458f508d9814700a6f4c0f9370678f3ae
SHA512 b99ef0e9152da3bf6adac5fef67b44738ae7a2d1ef0041786a5700b8389acde7380f1bc9bf1402c7a356f1777aca7c2b05af5ee22b7297bc879fe2e6b9741f13

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\private_browsing.exe

MD5 92da8bfd3c0669c155e7a55d04ed12f4
SHA1 5f2d2585cfbdec86880f4137e04400de1e2bffcf
SHA256 c79941fd3e7bd89f2766110158eec79aa3af7620c33606a203cf82c492cc700d
SHA512 cbc733576fce71fe21f21ac8db58a073574a2741205e1c28c796ad27b39ab1c388adfcfa236ddf389aadf9bc807226852202b0bc9e2353bb91406bc1380a8557

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\precomplete

MD5 e5cc0a1ba04481c6c564661a2ba54b66
SHA1 2dcfc5beed8308fe6f90613a49f2332f7dc5bf68
SHA256 f2a7800d0be7e010d58c7ffd8a8e40af4314aa2002d1db80a22d8f94d36bc6cc
SHA512 50e057a3f3478b98b2988c9f2bcd79f83b89d578838db5c2339b9774adae5b1cc41d19646f643818b80cd37120c5fefd0f6e04fee5d3d50c7bdf2ba769ad5297

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\plugin-container.exe.sig

MD5 be706f5b8fe29f1597208c6b2ec5f9f4
SHA1 adef4ff9de574888ccc9f46464c9cc9ab872d600
SHA256 67a1210a34f5ca2fba95b4431fad421943491767bd6edd14aefb0de19825cb1e
SHA512 b34e2c2f9da5b0639d0c42d92ffc3ea2a0026f392c7cc34fdf7147aa987abfca0d1b6ac81bb5edd8f379b4ac73397ec3ee817196f08d770aa6b4f9c2a1120cfb

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\plugin-container.exe

MD5 82ca21464b210f907e27075b9c43f24c
SHA1 8f7d9b07fa033072e83cf68a9bb3326c5a6d56e9
SHA256 8e9ca7f8b64b537a324f73f392461c159ef0ae3e540977642f6ea0462b877cb0
SHA512 2f77e5e7c8734d360fbf4870da73fb55fd3e78134f3c9c4620d5dee315cf34fc5365a3a5ccef68e52a8fbda590f9dd1ac48f4dea7ba780d8948b95e085244112

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\platform.ini

MD5 1a622984199574cc7162a341f0348d57
SHA1 54ab96c39b9da2dce2505dfe6d13a4c4fb901c5c
SHA256 af70dfd1aa8fcc9cb5ccefa17a9e23d21f822fc038e90e60f95c4d53f2db4cfb
SHA512 5b1175ce4ec42ad6664dc57024850891d6dfa9e43daf5ae2f6d2553c37df12ccea7022ec5e1c1ad5894a4d43b1780381598a034ed2ba723b9e2c5b1540d602e0

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\pingsender.exe

MD5 69a30d1e4195aff22f15bbc590e9b5e3
SHA1 7547128630487c8cb3e3ae03bb58841ea848e94b
SHA256 08d8cf85c548ac664d6f39d5518bebd41e1a9e5f51153eba33ab91e3da52cea6
SHA512 c921f78620d8e8c79c82e24fa17997a6a4874b8707ad7ff42dfd22b824a9eae2e3fb43d5c136924295757b27ade4f3e625b8c77d97c91f7fa60519d67a56129b

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\osclientcerts.dll

MD5 cd0017e6e8286fa37d893ef0fb03848b
SHA1 c19720c3386b3dec6340a5083b8eac99f1365f62
SHA256 0cda4d44b2d1764bdf2cf9a3870aad590db3807f5ac398d5eab414450883dacd
SHA512 8625850a31ea175b026d6d98fb35b6071f2cf4bf64f6f8fe446022bd4e62ad9e572dd62707ba76c6402ae2130af588128476dc15a3d50c2d9a926e069e01791a

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\omni.ja

MD5 1ee45c37aa44ab50a80aef6b5b373bf7
SHA1 282e6eac2881dc6f474f279c1f14b5de3a0bec18
SHA256 ec10ce99a9ce2ef6223b4ef004977e9abfbd0140581e403965f4e686da4674e3
SHA512 a342bcb0bf699dc1aff6344d2fb4564d026c1de03036ae6d3b90059a7fb6fb8473ee59c98815745eee5327db0b1c8ef845022179f8634381f687f28208485659

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\nssckbi.dll

MD5 e96c86eba0f9fdc4582dc0e3b9b0e5b2
SHA1 65279d8939a18620751ecf4ebf3715aeee8a5331
SHA256 5fda066b1a6bab8a3d432a3e5e3d8a886a9488db8ed2b9f2afc55c7e0f38428f
SHA512 f4212fc7b64a5f5632ddb73105334a5f43f05a65603b55bc248434ac21927942b9fb5d7af3a2e03061604e95505976e268bb6583be748e067dbd4ff3b570f135

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\nss3.dll

MD5 070429099820a3995b316e8888f7a468
SHA1 63116279af074dbdcbf71b198c3fb058a8c37fe1
SHA256 0340a6ce301d24548dff25dd09869b73cba87c77d84ca1c5a025ea9f90df6ddc
SHA512 27d80d6c56cc9fde8268350f64d4fdb7b5181865060e80f33f0bbe71d0a0718fb5874435aaf89f02b9f5ef2163564d2ec7b1502926a84dc85ca1f3dd3f20c127

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\notificationserver.dll

MD5 0970c393b8f2c2c66f54c70088a462e7
SHA1 67b2e55fd4bb8abdae0084a608c45668289797c5
SHA256 c7ee3a3f93887c628ce555fe010bb09628710940c903cbde4f2d6faaedc7b104
SHA512 1643de027f0f17c0cf821c18f84a546c27e8ef4a1c6fbba10c6f20f2bd64a0de6eedaf15d297b912c4de98e0218b54777b781965b8a615794846c96a69e58c85

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\msvcp140.dll

MD5 0d89995cc45c7eb40e5a7e287506c1e9
SHA1 096c27b06ee7fff2bcd290af0264cdafd04cded9
SHA256 e0a22a594e148fa55ceef3e49969bfa77011a801267a0bd7805b681b593c9d0b
SHA512 3497c2957d10fcddeec8f312fb15c53f82d770dcc3e771a94daf4f4435c3ddf323ecd33310baaf1ad56673bac7c6268a9ef921d5f32cf7e4a7c9dcb0d8aafa63

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\mozwer.dll

MD5 4c178b42e7ac23c2670f9062140db18b
SHA1 1866da5ff5ac76b6d48f5cbd906969e44de254aa
SHA256 b80ff8b4a8a53bb5c0b811899005923e57567823914b90c8ebf978be75db82f2
SHA512 86147e368d86f927ea203b3dd56c20d516a3598af3e27d4a51dce9b4090f0bc159f92c7182cf2f910034ccfed1c713b7b59db8c650328f79b5783ea01ad9091a

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\mozglue.dll

MD5 82958c604717fc0a15052e03a927cfa4
SHA1 829a7eb23147c31d9746ddaa30201b7127515416
SHA256 948818942a29cf21260ba389c2fdf3c001d77851500a7124c1f6a3290b8f826c
SHA512 70e5118dd760e7dc86f3641da57dad00f02b703e53230bc13e0e9e21fddcba75d3e70445d90d9f13988956e4ba20e7b54ebbdaaed18c3e7aa75a4214c2e2aff9

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\mozavutil.dll

MD5 a8c59fe48e7534b1f328c6695a3c1980
SHA1 50888185b771136b18277d0fa01d34581c63a26f
SHA256 7bd0afa48888aeaa8c95c43ad50a7c10e569bd270a61122d8d44cfe4f95760e5
SHA512 7b410705365c1286c457e6ef009d3232a5eadc45204e1f3a2cb9f3eff1e52dd990cbc850a9b5b377161a591ff66569c768c36336c22c69282108247d85945937

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\mozavcodec.dll

MD5 982f90321a56b53fb89a10df4cebecb1
SHA1 679421f5547c6e1c368102db3e2c644a736b3264
SHA256 0a39ef94934e5c442c222e3ef3db8f27b40348cff72f0c2b47444f9b79947281
SHA512 24c8e0de7404176e4ed2bde53959ed792c79c2919bc779b293b067dfd1fa9880c493a9952ac8b23a8872209b414602f437bd2275f591536fe8cc90b7610148e7

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\minidump-analyzer.exe

MD5 27339083fea7fd6d8363f7fa88ca7b80
SHA1 6582a65dc5d306964236ce560a85b6a3826ae9ee
SHA256 f18e014b7127345cd9462e3da9299d3a57fd64dddd60e6c9f088b8b9c30161a7
SHA512 e9987041bc8a2ed5eadeee525db19e415cd96a19b2a7a4aca1372cbd072c88f64f8fe5ce4b1ebe4ba75f3f436de33173a363cf2a64f459500563cf529894a777

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\maintenanceservice_installer.exe

MD5 6af8db25cd8020149f2185aa5d4f32d1
SHA1 cbbf719fe0d908ae61786c7ed7a7b07813f525d7
SHA256 cb1e94285ac672b4184ceecbfcd8da3bb2b535b53ecddd3f94bff702e71cae1d
SHA512 f8444e1da21e8644203fb7bc6232694b0eb971ae846d15e3e79e128c96fed6530ce45b8076f032fc45e3037cf2b8aa119ed0a47f9798e34c900e0efdc3a1a065

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\maintenanceservice.exe

MD5 47b61a3787718ef6e3b0f4867dfd77b6
SHA1 ca3cc47dbd686fe15a124576192aee45339f1be7
SHA256 78d5ba607a68d835f89f6f79b2686d3fb71f6f1e414517acc8435fb02c994d84
SHA512 10bb4ef3cb7d17e732e29821deada7fa4883cc45d154b6d28322110102404dfe3744ff79aab7159e6da604bc1c3ac77bc740e1cfd46f8d1a08c48bd7f58d4c68

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\locale.ini

MD5 bad74b155b8731bfddb8d54cbd1b0021
SHA1 5a4d8b98ae81f75e362d510713e05022be64c60b
SHA256 a4a030b6f430548e5bba3cfc748515d40b72c522a1345957df4ed5f88736013c
SHA512 ebfab2f589390553bd93c1299db8b7a7bfb8b1ac9ac5ce3c2c8d478c79ef8b93d6193f9e739e94f662dfc026cd49b04a8f2fe3ed82dd4bd191d1cf34e1e4501a

C:\Program Files\Mozilla Firefox\install.tmp

MD5 ebdbe9f303a81fe57c6e00614d49f6b8
SHA1 59cea77f8fc790312c6e74761be94d57ed6fbab7
SHA256 a7567835dfebca8f1dbb994ff9c721bda3de3a67ad68cac0a35d54c264c07164
SHA512 0e44d4663c530a3060d99750cb478adb00b8591a258b990fbaafdca6e13210ac2d617bc8ad9227577bdc7babf5058648775cc0e8a65604f62766d9d3455d8af8

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\libGLESv2.dll

MD5 b58355070a47e6e3bc71a7a599027d83
SHA1 1e73a9f5c9c505b1cfddbb2c6ec6cf97a7948008
SHA256 2a4d75ba4b34e2de99429a77737e80541b8f65396048cea6f901e6192d434907
SHA512 9ba1e9ad2b54e879d97983738fc816c1de3ec683cfae183b7b269badce5ef88a0dff35dec6074ef0027e0978f1f975b7afa21f18dd9bb37ee9d04ad133bffd1c

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\libEGL.dll

MD5 42fc6c25f845433398e008bf77cb4854
SHA1 cf25039a0701bc4d4e0fbffc769dbf2a514a7d24
SHA256 192b2fbcc598e481616d6dd828d673bb54374173d70e75bd0a212278ac91793e
SHA512 b395693e9d2238cb1854788a196887c5aad3da218ae6547600a94c45801b2ae88b24ba4e5a08085e2d68cc05d459fe377b7b990bf52a5f3c0d05d07045b50f2d

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\ipcclientcerts.dll

MD5 0fec92b8cc50b4ec4274fc29e8e72c68
SHA1 02bd7c081e68005cfc02d3459558f0c981b4380e
SHA256 9539d62b3888eec11a669e6777702990824409745f9166ce2bd346ad2314eec1
SHA512 82bf1e37b44d37fba508a394f70ca9f7bf4e9920535821add189d42e4154945bb0d1c4867e13d20511dc4985db72f5f09a3a4febd6b02f1d3e93cef56ce910e5

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\gkcodecs.dll

MD5 818e5d1e4e556ba76f0f0cb544d056f7
SHA1 964b27160a945435c25929503c9f43e091af1c85
SHA256 7e2ae1aca6a7a4f7932b52a5a12f7c751ce2e73f6760831d4075d29be846d800
SHA512 25f6fa475ed02a3402d4d41eafc86c0dd536fb2f8db26fbf9b9455dccc96fdcad0cd8570edbac3223f3ebec2898034e58a10e4bffd4a1dcb82d5681c5fca48fa

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\freebl3.dll

MD5 079f48ed995b415d79f99d7f5facacc2
SHA1 06eff6d1482c5a35a85a82dd37660b237e5e76b6
SHA256 f5465f6b92a425a2a8e42726976a435cc5f7ce93a2dccc670dce597db26962df
SHA512 9a1366aa0c744492bd40a8b9b225946017f3db76a7f6e75dca8006dc220f78b3db7338feffa2b8f3d55a5de42b4811250297d6158270925b4baf5b10f172aad5

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\firefox.VisualElementsManifest.xml

MD5 0aa43576f0420593451b10ab3b7582ec
SHA1 b5f535932053591c7678faa1cd7cc3a7de680d0d
SHA256 3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6
SHA512 6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\firefox.exe.sig

MD5 e8767315c596113a434835809e598247
SHA1 e0394ea26d12effe0510bbc01e885e80f3b14c94
SHA256 2dddb2b97032525224c92af53a0630657e630b075ca1db60d0a9055054a25406
SHA512 4ff532f31504a2b097deae3afb4accc55cc6932ab43f53aa67706bfb552058f09fc66ad2ea82f5d6e4d2513647174fb1bb2fa4cae494cd017d0aa4a27c12bf0b

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\firefox.exe

MD5 470443e44566ecfc7ac2ddbec240a73f
SHA1 27bb8d2fc02cd2bbc184d07357aaa9903d88b425
SHA256 006652da0745d8672ec56598368c1f8a4896cd4a0aa5b61499d574870f94b705
SHA512 22c9bc36874abb015a7e1a28e26f186f2abbd559aad53fdcf493f2178dbc6cfe5a7324d0acadcf4a641028e61787d2f4237a8c034a3a7a6d0a7162f31e05a618

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\dependentlibs.list

MD5 a515bc619743c790d426780ed4810105
SHA1 355dab227f0291b2c7f1945478eec7a4248578a0
SHA256 612e53338b53449be39f2e9086e15edc7bb3e7aa56c9d65a9d53b9eb3c3cc77d
SHA512 48ecd83a5eb1557dfabfaf588057e86fb4b7610f6ece119d6d89a38369d1c9426027520ce5b6d1cc79a4783b9f39ac58afb360cc76e05bbe8bbbd5128c5d395b

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\default-browser-agent.exe

MD5 4c6887f8c8c66f0b2db5a8b347931b70
SHA1 1a71320873155f84de67bc16324c8ca0e503be04
SHA256 a080df509685780d81ee32d86eac7ab15b5831090678f63b5741b57fd8a9969c
SHA512 3e1cc423bcde71a24457b5f9756241c0bc0f9b1f434eafc84ec733f124bbcf6f9a1e104caf402ef2d60a96b895842a8e6b18cffc59936e6c4873a3be92cace8f

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\crashreporter.ini

MD5 1b0d446f9d17c1374c81acec9d8d2406
SHA1 016bca3d4ee9a0dbb4350ee7a1898779dced6c11
SHA256 a0cc8cc3287d54d7e23a156256a553792970df9ca57f6ad85dceed32b979da71
SHA512 4e7de92579628cf8c31287506d6f3096bb15402ee6d694a72462cbd1f093e7d04cbcc9e13691b94408091e0c5ea8d8c528365a90885b55a126416af37be6979a

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\crashreporter.exe

MD5 aa9c1de3041eb75aeee90b85ff66c9dd
SHA1 83cba1e082732d95f278434fd25374104e25c668
SHA256 57b8145816b5d189842e350fc030e5a4def3a8990e489aa68dafec2b34e50171
SHA512 fa75c0de232e497540cce6f27dc0b0457860255a0822a6db297942ae91159dffaf4d35367aabcf9b2e235766a204210afee13e2e00cd0016403956a8a63a78a2

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\application.ini

MD5 b88b39cc6f0db319089ce85abc86bad3
SHA1 fe60addd45fe721a0bbb79fb12b5be85a471ea21
SHA256 52380c119d09bde2b00e375c32621aff55a676e07aaf88c604ac5c68f664ee25
SHA512 f4af28f15b8ec3b363deddf126d6e34692a74d29b8b2c908d41672e23c17925f7131401dc2efd84c6962c5e7ec9241967946dc36bfb3501edd2c79dea7d67fc5

C:\Users\Admin\AppData\Local\Temp\7zS843C2F57\core\AccessibleMarshal.dll

MD5 eb0c475124ce894398ead3733efbd451
SHA1 5413979dcaaaff24b5d47d2ff6430f229c4abb6e
SHA256 46b72bd02816965cd29d9c50c6afcd6b75b7a7b278605a1700ecc0a1e1492766
SHA512 2bddafc036331a89b5e4d5fce6d1d62805f04f37bdc1dc3a95b4644955a983aefde6a371b8d18f4432882473c907f2dbe55c31f6e47a54006b73070534f3644b

C:\Program Files\Mozilla Firefox\install.tmp

MD5 02640ec71b39f00ee44de768bd5e987b
SHA1 f8f75865ec8682093ff31ac0349f125a6563b95e
SHA256 422d0690a397c693395e40257352fad6b257186fce053e7bbd5f785888661844
SHA512 c3a200dd24d773224f707883b60003ff21cbf196d8a5e668a8da21c0a66449bd4bfda874ebc568127ce15aba47b7e7ee192da4609502c764e529c027e571af49

C:\Program Files\Mozilla Firefox\install.tmp

MD5 0ff20823ffe3990dbdcde9a9353eacb3
SHA1 6c3fc784314a688022b190218b7a49dccd66a7bc
SHA256 8970d581b5e3b93ab5ac70df3a6f15c164ec4fda092083136a266354d201d9b8
SHA512 b426340767126145daca748e0757f389fb38232552c0cfb9d2974448f6bd9603be914f1c134802c0eeb606e0ef5e7494c946976cb73551bdc308e5d7f0cbe2f0

C:\Program Files\Mozilla Firefox\browser\features\[email protected]

MD5 2f1bf72ce57bb644dd54e6376dd2fe4d
SHA1 6013cd2d3613a6b0035920f1da9ec0a4d6dc00a9
SHA256 21ce8909c9ac4e076589ea9c8fbcf6b745b485816841131c61575ea705ba0a03
SHA512 9fd85ab306bec919defa3454d8d5f6b13230392198174fab8a2f7cf0db67a4dc4fce61c896109a31970a0d585d4db3ce9fd0c76fc7e6359ba873d1cdfe2e26fe

C:\Program Files\Mozilla Firefox\wmfclearkey.dll

MD5 110b8aa620a7a58d0ea1b5dcae56ba1a
SHA1 7beaad4d50673adc5d3feee2a96563de54e96f86
SHA256 2785d09d250a9a75c1b9c48cd3cc551bcccae714f022a7f04053d50d52c13c4a
SHA512 29e78a230b73bf4dd25ada528dc0e86eab9308a620fc999b30d07222119918189c4d5be4d6f4e23eab4848bfc94c057f7190f9f782f6461094231148bd847663

C:\Program Files\Mozilla Firefox\vcruntime140_1.dll

MD5 9f4eac207cb58e8d110477e7fd19d565
SHA1 687051b863f7a7178cabf9c06ab3b534b1e23dd3
SHA256 7cf38d20d00b6640d510eab70171e1c6f8fa2e42040832e17c7433ab61d94a8e
SHA512 9c5c4499adfc7b61751510f52a1288ff386dd1c1aaf8e8a9660990194813394329f8123f38e026ea10c6e30b4a5506625b9060329d524db68e48f36ab2691a05

C:\Program Files\Mozilla Firefox\updater.ini

MD5 7a6cbd521497f6dd382f7b8c6aaa1eb5
SHA1 a0bccd339f6d045f0aeb4de504398c97c3dc2be0
SHA256 531b55d2224efa181b75ed4ceb84e4f854f26c2382dc411945515d57d8df2243
SHA512 af32b8b1e93c2fc1bb6c7ce0f371c8cedcdcb753393e8cbdf282424935db5f8f04b3468d450edc81ef28d8b4430d8941dacb2d8826d28be9065dc787c53eb553

C:\Program Files\Mozilla Firefox\updater.exe

MD5 792c5ab789d8efb1631dfe12fb6e64fc
SHA1 9337c863c834c8f9e5fdbde04702ab4bdabaa7e4
SHA256 d3c76e6e1f3e34197d108404fc9c8b6179ab01afff6c6803713d320a3b480ede
SHA512 18d7a4f77ea238325795ff95b5af1e59104d96b71c98b44f0bc1c246bcf8c0a4389c9d4275ecb62f93bbe82bbd00067af41056bfd121ef441fb3154d51586059

C:\Program Files\Mozilla Firefox\update-settings.ini

MD5 1413131f8cfad1e19d299667bf759087
SHA1 a0435cbf1a2817ec960c56a896d455e78adc226d
SHA256 c18489344fdc21ae366b4d957a0b9f11be772483ca46f9ffab6ed0356f946513
SHA512 590b53aff46903b1883c5fb14492ca85db2c6e0e900d0fdf62c3e6da10f1d10c3aa51224dc6db50f4eb12d42de017892f77e91d79aa16fcaefba10b27748748d

C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MD5 cbb81a903dc88f69ff9107f11bded306
SHA1 4466021a5d98b59b61c7d45a8f5dd695226b9056
SHA256 5719bb2ab3c985570662a12789a2dfd37acd6aa3bb743eb75fa271256455956f
SHA512 93e8e2e62b27686a2ca2dd4db7ae59349730e233f88ce83fd55969df1b16b9c382751987a76ba6b451bdda2dc080f7cf93a915e2517a783d16018813e3b27d13

C:\Program Files\Mozilla Firefox\softokn3.dll

MD5 27d5e11b0d3dfc2b8ed8c2a00a3ee401
SHA1 05e0220b0c841b7d7ecf909ae1582438f56d1261
SHA256 327ec623b603096fb5abbdf5375bc2e5f3840b5747df2eec9ab78fb17f6decfa
SHA512 c82a208d8328e3bf6c88e46275f4dc0d99ea09e2ba68c17e1a4f0ffff460e2366cbac443cd8209416d52e762455f4686385f9787998b67298527b27fcb852a5d

C:\Program Files\Mozilla Firefox\xul.dll

MD5 34d104c4f34b4cdc13a71699ee915d17
SHA1 f059f40abf3f92054665ecb3b43752b2bc399f3b
SHA256 cb28e5d31a6f7a4a1e4b52c49a02236dc0067ac4af7fae33993a28893127dc18
SHA512 5da0d21a4573c7cd25a773e3d063227cec827030d51c5ae38c5181606c129c735aa9920e1978855be4499687ca7c7b49ebb5c234da2220caca03915bb868db92

C:\Program Files\Mozilla Firefox\xul.dll.sig

MD5 aa21ae5908b9d7c99ca27e6e422610bc
SHA1 a92909eac34ef5a9f4e3d13962ccc92e2da262d1
SHA256 eb86adf66e5ad18916f25d1628e5c08888038bd986dedc15c8bcaea80089a226
SHA512 c330cae1e89617fd485155a093217d7fbd0c9a96f21d4fb3e79a6a5eb16864c8bb2134883faf2121759601253d36774d46ae05f1e9f3769eef72130b7aafecf4

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json

MD5 cffdadfaeeaaf0a5a78e7f9a299aa7f1
SHA1 7a8f06d7c91877484301ce8474dfbb1bde08a040
SHA256 ef47e83036753b53f59d079fef62bfedc749abdbcdb0fe16f448d9920f11114c
SHA512 5a11e448389326ddbd3be792d9a10ae746c66e4a41f9c96f4979ec71fde385fc4deb205a40f1b4f24415abd9d41c453ca1285f4b813005b1d12a2701f214db85

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig

MD5 90808af995ca1107a8499baa48853f0b
SHA1 407ff7d66143751b9c7483f1cd576c94b2862eca
SHA256 f4c2ac80a8625c5d2c7011fec386218646f233d6a3fedc0988b5438f6ac0cbe3
SHA512 a63d40dc6eff719feeda08e15578ce455086e140ce5119da6d54fc6a4125487bbd23c92e5368a95520359aa7af508b594824b10f00750e7aadecfa01de18926e

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll

MD5 ae165d60948e59a1cad79f1379720fe9
SHA1 e5b1d608588f97665040eb01f7c9ee2629402906
SHA256 37e59b27d822d411166ab33083c246f7409effdda18e0faaf996b4bddf20ed49
SHA512 abbdfdec889899229b670b69d4f8deb3ed58e0fef514ade2d6677369eab1be8c54bd0183b65f12fc5cca9fabdfaa79f3fbf7ff7baf2e18e1701c697ac504c0b3

C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf

MD5 aac75d901445bc0419d56e56dbc18891
SHA1 3ada434f3a727167ce6dce3b865fa6bfb70ed86f
SHA256 6d90152ee0d29e82fe2a87793af5aa4b7ad13e6538360889e141e81ed299ee8e
SHA512 83fd92ff444ab6de18d48997247f49845abb8420a07b74ebc8a65bda8da69d28f87b6abe0f607b2fd7da398dc0f8cbe7fbf655af6d25785ad8b2f1a3afca136a

C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js

MD5 3d84d108d421f30fb3c5ef2536d2a3eb
SHA1 0f3b02737462227a9b9e471f075357c9112f0a68
SHA256 7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b
SHA512 76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png

MD5 1a340e565e697e63b5a4ce51f7297119
SHA1 cdb4ca85700ed81db13b15d4bd5b77d41bb20d34
SHA256 c4bb210e61cd35f9a0a54fb941ea2e3bf6abde799bea1c78d24c761c9a3bc429
SHA512 92478fe26f9ea7454206a3106632534c5608d6940588f01fecfd799de636f11b003ffd1e5c762201f9a14f4ebb7fa6a711d99312b03914de817246a6008c7b35

C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png

MD5 8e058139e0576b4ad8d424bb21071063
SHA1 f584d2412c935aa8a7cf73ecdfaaa6a3cf87c064
SHA256 e86ee493e89f5dfce2ce8817ac5d1c04d8ba2b07a06ff0f967c0167562510df7
SHA512 9ce457aa516fb2d3cb7b4a08f2dd81573de301fefc6ddc877142a35851151407367605f00862fb77067d0969ba745bc6bc612a4440aa3017e508e572ec88f2fc

C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png

MD5 c9ae03c43b67a4e4986518fe3fe29756
SHA1 07221e0401f306487504ae9b3c46ef1cb5dec843
SHA256 adf41380b5ed3f73b8e5fb51f7f33b722f4db4600791cdf92033267c9971c4d5
SHA512 0ace7c3cdc18eb1e67971a5acd0a54e1c00d37ac556f8183dccede984cb6520660c9b27064a8ef5f7b706fdabd70e5e424b7b7271ff751bffd997cf2284f9fe7

C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png

MD5 e9068cd977693bdab242de4280dda725
SHA1 35a5c8aee11597ec7cc6adaf15e8673b713d73a9
SHA256 1701ff395543f3ad6b25584fa7014073f74949baca0dd2552216f58131328fef
SHA512 29ebff0f99c9a8f47b8f145ee8d88877b17ae0e3eeed1bc017caa20c68a63166831f5feda768189e837d2390cc80790e3e69aa7ec26bf92da2e90b66e1be3362

C:\Program Files\Mozilla Firefox\browser\omni.ja

MD5 bf952b53408934f1d48596008f252b8d
SHA1 758d76532fdb48c4aaf09a24922333c4e1de0d01
SHA256 2183a97932f51d5b247646985b4e667d8be45f18731c418479bbd7743c825686
SHA512 a510a96e17090ada1a107e0f6d4819787652ab3d38cd17237f255c736817c7cfcb3fd5cf25f56d5693f4923375b2ab9548e9215070e252aae25c3528b2186d99

C:\Program Files\Mozilla Firefox\browser\features\[email protected]

MD5 9fe1653c31c6ff75c906aed024d53b32
SHA1 d2fc52a9aa47a0fe0099bee9178946210a163031
SHA256 d9f4c6e6f535d09deec1a58068713cc845b6dbbda2fcf5dc8669f6489bb63005
SHA512 8d7fef23d0edad4e8aa64f2f400965565c70d0d1f94d0bdcd14b779fef9192de079c2547c2d80b171e6c9316ab0221a265efb49492bc90d213b64ecde46bb30c

C:\Program Files\Mozilla Firefox\browser\features\[email protected]

MD5 507739399c82ef6487da73e587423f1f
SHA1 95177d06563e55f4084504e06e88a1c0f3f52b0f
SHA256 796ba4ee5430db311dac2e45323c3e71059f23a54ec2d5bea22387f33fb92de7
SHA512 6bd0bb547f3bbcaef5db00e554a0b9fb45a78efd01018a4d706bcc94d5566458f931cf954cea22e2674ab2065c72617e49b21f9e354f16109b4b64d4fcd0b4f6

C:\Program Files\Mozilla Firefox\browser\features\[email protected]

MD5 3702bd7db59a2feefb35401b32876245
SHA1 31e2e408ff9c185001513386fc346f7512effbd9
SHA256 dd5a380c7f29c8c1db6e7b2071ee550c8a93ac3321c11bda9d0912f176f8746f
SHA512 0412f029075866af6b6df95b6cc690542504c52af23cc7666b63f53893983d4d14e3729a02c1843f3bce1361d7ed5028bb5d59aa7be4403e8e6c79faf7fadd6f

C:\Program Files\Mozilla Firefox\browser\features\[email protected]

MD5 3002f01583a526323a8af2528c871719
SHA1 468390eb0a1d93eebd2ddc303ed8a03854e99916
SHA256 9789afb5305d211676f14025f6afd8c3e731d54edb46b0120f0f544183b223c6
SHA512 6425e488e6cd06baec14e711b87809a451cda1429e7298ac0c8acfb9b92f852e36a97f9d459f0305bdc4119ee1517012836893ceccb5e73a9276fe23fd33b616

C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini

MD5 9524df130a8e1ab4efdfb32b4e68a7b2
SHA1 98593d6520ffeb0c49803dc1ada0ee3131be4c88
SHA256 699cb7896b205018db7248a2954d0432022c63957ad3a83ae53711755ad47c8c
SHA512 9689e204f84bd1ae815a07da860fdb6613bf9c3220e301ce2395e971fca0ef6115b3fd3ab50983e48f49e5a7b2a79b951df22bf9a00a362fa274915001a9fc14

C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini

MD5 4b8dc92a079f224935392f9b5a2dc051
SHA1 1027fc1b3e2e8ae78c60bfb25c5c9f87f9b3cae2
SHA256 79d1631316cd79bc5127f745aa6707b4445f7d0432b685ef2c3ec3cf3a62ecba
SHA512 ad0186cfc9df574e4a3c7c209b5dc3078fb86f6b1de0008bdede6768ec08d61b20f371d7b2d01dc50aa7d094b150db816358f03fa0d9135ce26d80d8886a1704

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\ShellLink.dll

MD5 fa94d120efb029b43217c66bbc8c650c
SHA1 1fcf2d76adf69b403b7400681ac91d50ed20385f
SHA256 5f6f414b412c72b10f49eb92af1d368ede531b58fb200d539fd2b45e371612db
SHA512 07ed0771d5bbb651ea7421a5f6b08fa234f9cc041315d9360a7135ba12180064fc99a27725385a8ecd3ceb25bed5c00de169f7dabb3ccf6e987f45254dff8158

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\ApplicationID.dll

MD5 fdc0338e6faeaf6f7c271982e103473b
SHA1 9a41f7932abe8be7e32c6371f085cf14de355d00
SHA256 a9dad9fdaae93d10dc2ee346b231913445e731049554b8bb1506827e46f8a44e
SHA512 a766eef11db4c94b1445d1cd70cf1d3b6141d6b3973562e9fa8d81c79195886b884dbc9b9f6952f8a6e8619534a6bf2d615d539d2cace9c8843dc19415051cc0

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

MD5 d7309b0a13c4c25e856c84df6a94388e
SHA1 83e969a18a53417df73469bb78b6aeea83617df1
SHA256 9da6cb8200202717a9e87aee841e663d57287fd817434ffb382a86ba4a08867d
SHA512 b2966269734a03a5ad251aea4faac657ab6cbe8d1d94438d1167aa049bd47c6be80a36b8b9aea53888508280135fc6025fcefa29d3f731adb05a87a408d0e2bc

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

MD5 2aadf786e46bc7c560085d2215052843
SHA1 6eb816d94c3eab176b9f1da6c08496fc7c916c0a
SHA256 e7eadd4fb7b0783663b304488f7a0fb974511b1b77a2d3ad85e2b7f1ec354c54
SHA512 c93be9dfa97793aba8a434ba73d6a9968b1ddf575f04fabd54b1af696a6ac0720a6586748e7b8da09fdd2f0532c66fec94b512cf406fa56562c29d798b2c938f

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Private Browsing.lnk

MD5 c6718fff4b071086172b876119ea22af
SHA1 104e1663c01648bab258ed641d350fffb8ea97cc
SHA256 f646b78c5296c882c27cc60a539d566b2e412fb31ba6184862ba8dafd5a77db3
SHA512 66e113243ab708c43e344962d2b3d21e8db98ffc3e7e09ce98738fee84cc7172ff1cb3ed0d8d230efccb0e66734f67ffe89a26a764f91f645398ae9777d05478

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Private Browsing.lnk

MD5 eeead1c7fc7cd1b3b166a8f1ae77a03a
SHA1 271da2ae7489d139611680547df2a423010de4e2
SHA256 1ac054fe9c3108e95205c5daa56badcfcd34c7b0f342685e72464efd0964c5c7
SHA512 c8e33152f13cb46b54400e533346afdf61c010f9a38780f6c788ad1b6c4cb5db7aebd6f5fd2295ccd98032856b9d394790b594d4bfa54086d8901baf90717e94

C:\Users\Public\Desktop\Firefox.lnk

MD5 467d327204150eb7bb33c95f70296b48
SHA1 1efdbe1b812c09362dd7ceb1b890c4c55fe5dfdc
SHA256 b137897e273872e857115f52bf7121703b976120ab869e7a616ac4057d619217
SHA512 cd1a3fa175f58092d9e329758fad68fab4ae7fa99b5f0490925c4e934aa9aa20b91335fe2263ab40d3ff34c07fd4abc01d6d353f1c927cc4653f26f19ffe178f

C:\Users\Public\Desktop\Firefox.lnk

MD5 3f66acb332e67c33efe1a88df785a18b
SHA1 e20739e4cb97d8e6fd1ad3ee7f9c73e17ddb8800
SHA256 b7f2751ba4bf61b0bd3b069e541de8148aaf24b5c70cda45b4c4b57b500f8d62
SHA512 e0276f3ae9d689c8d6f637db09704138366a5478ab367b466ac805c2802ccc3df395fe60699b621e4be47c832598dcddd904ea4603a4a6e99be582cd42cfb8e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\vmqlk23h.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

MD5 780a09f4232b4bb65feb51cd88527aa5
SHA1 354fdd19c173460c841b70f782d53c273dfc4c36
SHA256 e8883b22ca63de6751f4d9fbff6fd62b29af166e9a0486dc48f1d2bfbc5921b1
SHA512 5626a79defa810616ff19033c49a5e82791c57054251604c43d2ad585110095131f7ad762039b1978bb4c6f46d747ddbd2262256eb59996903ef5465a87dadec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\vmqlk23h.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

MD5 1ea34670595488ac3613ce8c1d2f7ebe
SHA1 b47504c231240d7155e5102308873ba8ea2b0d93
SHA256 1f76c070a977b05e7ddca724e3d91a3502e8d085aa25abaf6e33d15ed4898572
SHA512 3d03a4863f7ef03bdd0291a8abcb6f72351bdc60c6f48022068e6832b6067c5403e04c06ea4911dfcbead9ad31b0e1b5be2dfd8c2d2b811e35c859ac8d91027d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\vmqlk23h.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\pending_pings\03486f73-04e8-4213-970f-4eb904169d58

MD5 6aac5a63425f44e361044d31eb9702dc
SHA1 902de050962ed4b5fa5df3eefd24a8fe1d66d887
SHA256 80889401c58522798ef1c1c039c2d15cac62261beb2a312f96ace4c2e58e2088
SHA512 a34df00e591f133ecbbbec249c733bdf53c6614747a7fd9d23092864ad03d8d2e792a553e7ee5f4bb4aa4ff12a519b9e1b07e0c84aa73a95ba0057d2bff2d466

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\CityHash.dll

MD5 2021acc65fa998daa98131e20c4605be
SHA1 2e8407cfe3b1a9d839ea391cfc423e8df8d8a390
SHA256 c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14
SHA512 cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\nsJSON.dll

MD5 e832077eaee06f3b2ac9a8d2e7264567
SHA1 decbc329257c9c7fb67d3c449b4c5dfc1f87471f
SHA256 705f4947fb94254c4e5084e6a962045f6a4e790dfc1ecf59cd0fc3feb38bcbbf
SHA512 c1bada98c52ee2318d23c48fe202380eb42c5e1f18226cdc017f264c8c34f548bfe4d9b6eef13caae69ba321a71b199431b249fdec65f8bb1c386810932ccf6a

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\ServicesHelper.dll

MD5 b9e8c2212ac8dae4b0eaf97c048529fa
SHA1 331d172323480b0518abdb0cc9e256dc7f46c357
SHA256 d6f6758adac2c073bec481e8de762af3a5574789bce3f43de02356afc9911e0f
SHA512 d93aa032e27c8268a4f6883711cf41f7ee2b5d33673a26d78db24456f2c548af39b7b98ed4b4737245c278d524fffb3e4bf708b6815dc866acd371427ff6be96

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\nsExec.dll

MD5 0e584c7120bd474c616013c58d51dc6b
SHA1 0bc980892341b52985d92fb3d8fbb6be77951935
SHA256 7fb626aa05bee1095633a75aeb7895ebd816a98e0aa1581a0154e4c196de5391
SHA512 aa3a471b3f33c3ffdbe1b1e3c1e5d04367bcab3c16049396a8dd12c5a8317e4b153761f74f39b756dd4fb1806aedc4f1bb38bfbc12f16480eed3fd3087a0d157

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\liteFirewallW.dll

MD5 f31ba98a8d87faba153eea134968c854
SHA1 da0865cc1a86a39367f22897e1f9fbf4fb1f804f
SHA256 708fb54cffb6aea3547fc5ac745d1435ecc814df563bef59ba7a94f57d082bbb
SHA512 d991a2dd5ef537b25898afd7b7e73274a3cb8e6f5fca1621af22ee2761b82baf220aecb0c84434566742e2ab00b2f57a3740ce9831e76d4e1829bac3e044c8e9

C:\Users\Admin\AppData\Local\Temp\nse76D7.tmp\AccessControl.dll

MD5 eb7a540d0d2e28f6bf524d2cdbe0f478
SHA1 76204991c60913cffeba5595033c4f79e1e89bd8
SHA256 ef4b548b27a6edab3bcb25cff0598918c645795850d62f232909dee851e04c6d
SHA512 947132d07f7875dc99fbe8a87757f6efee0a8c6271f8a3bac6747f9f4f60ed7e203e28a588db8c55ee898ba8f3dcf640f6562c49c45d6c6d8fdbe2d2309b9984

C:\Users\Admin\AppData\Local\Temp\nsn3578.tmp\bgstub.jpg

MD5 7c2899ce7038a456c772f45f21cf9efe
SHA1 5f9116469f2026714a7c67d39b4d3fa0ffaf5d26
SHA256 a201e838caec6eac014a6facaf3ae5b8fd625bea510c856b332c535958e4cab2
SHA512 3d268bd2cfe2c811de766fe734f3e421cb4929b953f79cdc0556795ea92a63f5121de2609873c6dfcdacda7ef000fee27a1c86d8f3b8fdc2ada6a00a329813ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

MD5 14f34fc97ff2214eda5f7547ecc42bb7
SHA1 e601baa7253ab86403cdb7b9b483e1476566bf3d
SHA256 4da9817e7d3a9da56b1d065dea0f1526ff7c3810f4aeef6bff0ef45ff5497416
SHA512 fc83327b2effa5e3a615be175d1174b01b2403a25f3c7bed5ce0431f316bb1b34c64bc65a11190d8cf88244a727cc588e79823bb8f4276a4e2fa732e5364121c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\pending_pings\b5d1736e-1d20-40bc-9281-f7763285be4f

MD5 a02304fc2cdb04240f4c4dff4eeb6531
SHA1 71c9fb1e9c3b3f5a9999670251dd285c7948b2d7
SHA256 75b374e9f51ba1f8a381f1f0f2f30ca304755670efaca637947a60240e543647
SHA512 f89778375405b42ca8402dea94dee7cf68838f115135d3ccff26bf7f7bfaae6a7ed07ea22501c410f0742d8cda368061e3334194ac6840fd9b45f4a5c41fe0aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\pending_pings\07f02357-416b-49d6-81c8-82beec52bf9c

MD5 05b5a4eaf7a82ecf61edddf886b238a5
SHA1 05c0b50c599caba36d9edfbaa21b75df8da592b1
SHA256 a180bde19b48ef638514860a77df92367c4873649f07aa69f619f0dbaa3fa951
SHA512 58025bbb16ff97c9ff66734fcead1b7be42c99f62209231e130ec8587bec6c25a15c52ec596a3de56ebf445270320b87384f99abceba4a0efef86538029ab21a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\db\data.safe.tmp

MD5 692eb6c23238ce86fd2c202cb7bab1f1
SHA1 f7b0d89d037ca63985191129f5b93669806c88dd
SHA256 743adf1b10f56b7f4c6a0b4f48ac2496ce72f43624bc4be96c516529746c4c63
SHA512 287179f2aad8c25a5e550e687ac7eee0dc4f3c5cbf48d10419c7f30dd598c7c1729f8258a47571d15ecd8229ca42e9a48786ac3f622439e9aaf3c57f45cb3458

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\db\data.safe.tmp

MD5 8cb86655936f8e29e3c360d04d1a3a87
SHA1 7ca1fc77473b7e1ea3d0e359227b6fbfec0fc22b
SHA256 074b6de4120dda22c24dddfa24055a2fb34cae36b449d67105f7646cc188b0a5
SHA512 733ff4426fa32c320f813f88ba5617382ff7710373fbab74f4dad7359138a35a0df053499a4d2d405e811479b260b7eb91bba17b5b8ff74d59a49e5f8e598d97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

MD5 c018cbf6d462b2402e8b59406e7c91a8
SHA1 436edd3a404359674601e6078368fb2d9e9224d3
SHA256 c0283cd400223787cebad972d18e81d925ff5c1bee7b33c563fbf2b63e5a9473
SHA512 10cf8d3e409d09e5cc79f1f44e46b8999c647693b3dfdaeeca5637588d48f2826da4ab453e134f64f9e0eb87e99315bd9d382d7cbec57741eed5e8505f6d47a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\db\data.safe.tmp

MD5 254cd6756aac04f300b14ec7141e4850
SHA1 bde2b018f1e9568f7348abc78baef90be0645d77
SHA256 d88b836a4607bdacbfc7f9002b9e4914aeebb06bb0580d0a62ba1d12225468d0
SHA512 d2e0377c4129dc4bc4a580284e28630d0a5a9cfa52ceb31bedb306cf837f3d01878a47f12ba8e04241b5f505018aaf56c4ad6350a335da003352c66ace10ff16

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs-1.js

MD5 5d403c267ef8bb52aec3d379f7f0b22f
SHA1 7c1dd34d9621ca0932f3f763473c7f9988ba58a1
SHA256 f068e05c90d6c37266b47299b6b0e057ccd4cef99ae3413f4fa311257a21e43a
SHA512 431acd5ac7a60bd0f0ff65129da2241c567a36b8ec38d24d43d426dc28aff46cb75c093e979ac87e09849aa6601639d8fcb319758b2c82d0866562958014982f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs-1.js

MD5 cd1498fc57e281e9c50e958b532e632d
SHA1 a7a2a837fc9a99bbf26c8169c4a79242fae3af2c
SHA256 52fe27f6d99e3057c442010f2d857e951529b26398e34e62eff15358cc124543
SHA512 90588cc2f7a8bff442ea1f84e319b8ffe1597d8b9028b1525013d5ca0f0188ea898c63384c5f1632ae129efa0c725bb6e75bb86fcd13705f1e02c4f5b2d7269c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\extensions.json

MD5 d06e09c5d3c44c6267ab4a0edd06623e
SHA1 4c0b521c083cbc795ee34c751fb94e89bff9fccf
SHA256 d4efeec983d8961fa10e4e4be73f46222f0887ae45d018de84228e5fe4674662
SHA512 c442dab839238083dd29c57e6ef7c949e1a86b89aa7370cebebba2528aba2511311f4e80a33e2a6a34b4ca947d8af65305c9601780b7955ec861df5bd7034039