d3f144e37a9e5a6e6e0f4232a39371512fd4a6fcb677bc1813212651aa06a630

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22094d5610536c777379742f097e9205_JaffaCakes118.exe
Size

365KB
MD5

22094d5610536c777379742f097e9205
SHA1

0677a872535b5e8a116b32f9bfe2606937a043d8
SHA256

d3f144e37a9e5a6e6e0f4232a39371512fd4a6fcb677bc1813212651aa06a630
SHA512

2504337bb1b171e080ec2f3d8aa0f931e7c76c7edb630da7dce022b69cb0386aa4338db12a6f43e8058fe3e1c9be27416b6cdb2302eeba66795a0e1caf6d1c45
SSDEEP

6144:hGyGzOYXNJ90u43czRhZ4JDEBEkSphstJZVKNPUNUH1H2koUnuQVyM4:h3mN30uth+JhgXm8IV2enDI

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	firefox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 24 IoCs

pid	Process
2224	bNA0FTDAadW12O3.exe
4808	CTS.exe
1864	setup-stub.exe
3800	download.exe
2840	setup.exe
2472	maintenanceservice_installer.exe
4656	maintenanceservice_tmp.exe
3872	default-browser-agent.exe
4292	firefox.exe
4720	firefox.exe
5088	firefox.exe
4860	firefox.exe
4568	firefox.exe
1000	firefox.exe
2200	firefox.exe
4928	firefox.exe
1612	firefox.exe
1764	firefox.exe
4428	firefox.exe
2840	firefox.exe
1040	firefox.exe
2948	firefox.exe
516	firefox.exe
1140	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
1864	setup-stub.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
4552	regsvr32.exe
4552	regsvr32.exe
2840	setup.exe
2840	setup.exe
2472	maintenanceservice_installer.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
3872	default-browser-agent.exe
3872	default-browser-agent.exe
3872	default-browser-agent.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
5088	firefox.exe
5088	firefox.exe
5088	firefox.exe
5088	firefox.exe
4860	firefox.exe
4860	firefox.exe
4860	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/864-0-0x0000000000260000-0x0000000000277000-memory.dmp	upx
behavioral2/files/0x000700000002327a-3.dat	upx
behavioral2/memory/864-10-0x0000000000260000-0x0000000000277000-memory.dmp	upx
behavioral2/files/0x0008000000023420-8.dat	upx
behavioral2/memory/2224-7-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/4808-12-0x0000000000090000-0x00000000000A7000-memory.dmp	upx
behavioral2/files/0x01320000000162b3-20.dat	upx
behavioral2/memory/2224-112-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/3800-137-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3800-1185-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	22094d5610536c777379742f097e9205_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe	maintenanceservice_installer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsp3888.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\nss3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\platform.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\vcruntime140_1.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe	maintenanceservice_installer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozglue.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\removed-files	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\omni.ja	setup.exe
File created	C:\Program Files\Mozilla Firefox\installation_telemetry.json	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsd676B.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	maintenanceservice_tmp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsp3889.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	setup.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsp3887.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\nmhproxy.exe	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	22094d5610536c777379742f097e9205_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Colors	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Colors	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Colors	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\notificationserver.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\FriendlyTypeName = "Firefox HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\URL Protocol	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\DisplayName = "Mozilla Firefox"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\IconUri = "C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\VisualElements_70.png"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\ = "Firefox URL"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\ = "Firefox PDF Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXHTML-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXPDF-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}\DllSurrogate	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}\AppID = "{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{8646E0E8-A0BE-476E-BB9D-0AD8BC98D9C8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "PSFactoryBuffer"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	maintenanceservice_tmp.exe
4656	maintenanceservice_tmp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe
Token: SeDebugPrivilege	4808	CTS.exe
Token: SeDebugPrivilege	1000	firefox.exe
Token: SeDebugPrivilege	1000	firefox.exe
Token: SeDebugPrivilege	1000	firefox.exe
Token: SeDebugPrivilege	1000	firefox.exe
Token: SeDebugPrivilege	1000	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1864	setup-stub.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe
1000	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1000	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2224	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe	82
PID 864 wrote to memory of 2224	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe	82
PID 864 wrote to memory of 2224	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe	82
PID 864 wrote to memory of 4808	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe	83
PID 864 wrote to memory of 4808	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe	83
PID 864 wrote to memory of 4808	864	22094d5610536c777379742f097e9205_JaffaCakes118.exe	83
PID 2224 wrote to memory of 1864	2224	bNA0FTDAadW12O3.exe	84
PID 2224 wrote to memory of 1864	2224	bNA0FTDAadW12O3.exe	84
PID 2224 wrote to memory of 1864	2224	bNA0FTDAadW12O3.exe	84
PID 1864 wrote to memory of 3800	1864	setup-stub.exe	98
PID 1864 wrote to memory of 3800	1864	setup-stub.exe	98
PID 1864 wrote to memory of 3800	1864	setup-stub.exe	98
PID 3800 wrote to memory of 2840	3800	download.exe	99
PID 3800 wrote to memory of 2840	3800	download.exe	99
PID 3800 wrote to memory of 2840	3800	download.exe	99
PID 2840 wrote to memory of 4552	2840	setup.exe	100
PID 2840 wrote to memory of 4552	2840	setup.exe	100
PID 2840 wrote to memory of 2472	2840	setup.exe	101
PID 2840 wrote to memory of 2472	2840	setup.exe	101
PID 2840 wrote to memory of 2472	2840	setup.exe	101
PID 2472 wrote to memory of 4656	2472	maintenanceservice_installer.exe	103
PID 2472 wrote to memory of 4656	2472	maintenanceservice_installer.exe	103
PID 2840 wrote to memory of 3872	2840	setup.exe	104
PID 2840 wrote to memory of 3872	2840	setup.exe	104
PID 3872 wrote to memory of 4292	3872	default-browser-agent.exe	105
PID 3872 wrote to memory of 4292	3872	default-browser-agent.exe	105
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 4292 wrote to memory of 4720	4292	firefox.exe	106
PID 2840 wrote to memory of 5088	2840	setup.exe	107
PID 2840 wrote to memory of 5088	2840	setup.exe	107
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 5088 wrote to memory of 4860	5088	firefox.exe	108
PID 1864 wrote to memory of 4568	1864	setup-stub.exe	109
PID 1864 wrote to memory of 4568	1864	setup-stub.exe	109
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 4568 wrote to memory of 1000	4568	firefox.exe	110
PID 1000 wrote to memory of 2200	1000	firefox.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22094d5610536c777379742f097e9205_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22094d5610536c777379742f097e9205_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\bNA0FTDAadW12O3.exe
  C:\Users\Admin\AppData\Local\Temp\bNA0FTDAadW12O3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\7zS0B8CA317\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\download.exe
      "C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\download.exe" /INI=C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\config.ini
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\setup.exe
        
        .\setup.exe /INI=C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\config.ini
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4552
      - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
        
        "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
      - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
        
        "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Control Panel
        
        PID:4720
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Control Panel
        
        PID:4860
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Control Panel
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2140 -parentBuildID 20240606181944 -prefsHandle 1532 -prefMapHandle 1888 -prefsLen 24202 -prefMapSize 251744 -appDir "C:\Program Files\Mozilla Firefox\browser" - {307316f2-9a1b-4fd6-8621-9eeb67d9bdab} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" gpu
        6⤵
        Executes dropped EXE
        
        PID:2200
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2560 -parentBuildID 20240606181944 -prefsHandle 2552 -prefMapHandle 2548 -prefsLen 24202 -prefMapSize 251744 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de451c64-a111-41cb-8cca-964b7099860b} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" socket
        6⤵
        Executes dropped EXE
        
        PID:4928
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22123 -prefMapSize 251744 -jsInitHandle 920 -jsInitLen 234488 -parentBuildID 20240606181944 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {276e6477-d454-4cbe-a092-944448340fd7} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" tab
        6⤵
        Executes dropped EXE
        
        PID:1612
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3312 -childID 2 -isForBrowser -prefsHandle 3236 -prefMapHandle 3304 -prefsLen 24588 -prefMapSize 251744 -jsInitHandle 920 -jsInitLen 234488 -parentBuildID 20240606181944 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf652bbe-1a98-4bab-bc74-963cce543d71} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" tab
        6⤵
        Executes dropped EXE
        
        PID:1764
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -childID 3 -isForBrowser -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 25548 -prefMapSize 251744 -jsInitHandle 920 -jsInitLen 234488 -parentBuildID 20240606181944 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15d7295-768d-43fb-b2fc-3ce4dfec76f1} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" tab
        6⤵
        Executes dropped EXE
        
        PID:4428
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5012 -parentBuildID 20240606181944 -sandboxingKind 0 -prefsHandle 5004 -prefMapHandle 5000 -prefsLen 30337 -prefMapSize 251744 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5bd0b67-c880-40b0-a43a-20d6e9e61047} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" utility
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2840
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20240606181944 -prefsHandle 3204 -prefMapHandle 3196 -prefsLen 30337 -prefMapSize 251744 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffdd830f-eb43-4064-b2ba-469bdfc7c251} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" rdd
        6⤵
        Executes dropped EXE
        
        PID:1040
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 4 -isForBrowser -prefsHandle 5808 -prefMapHandle 5812 -prefsLen 27852 -prefMapSize 251744 -jsInitHandle 920 -jsInitLen 234488 -parentBuildID 20240606181944 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a0c4106-52bd-4ccb-a952-f8e2625ac1b4} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" tab
        6⤵
        Executes dropped EXE
        
        PID:2948
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 6108 -prefMapHandle 6104 -prefsLen 27852 -prefMapSize 251744 -jsInitHandle 920 -jsInitLen 234488 -parentBuildID 20240606181944 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35174090-a7e7-4b13-9534-78435e713d96} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" tab
        6⤵
        Executes dropped EXE
        
        PID:516
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6300 -prefMapHandle 6296 -prefsLen 27852 -prefMapSize 251744 -jsInitHandle 920 -jsInitLen 234488 -parentBuildID 20240606181944 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb97a450-fa1c-422c-88af-526e0e0b353a} 1000 "\\.\pipe\gecko-crash-server-pipe.1000" tab
        6⤵
        Executes dropped EXE
        
        PID:1140
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png

Filesize
15KB

MD5
e9068cd977693bdab242de4280dda725

SHA1
35a5c8aee11597ec7cc6adaf15e8673b713d73a9

SHA256
1701ff395543f3ad6b25584fa7014073f74949baca0dd2552216f58131328fef

SHA512
29ebff0f99c9a8f47b8f145ee8d88877b17ae0e3eeed1bc017caa20c68a63166831f5feda768189e837d2390cc80790e3e69aa7ec26bf92da2e90b66e1be3362

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png

Filesize
5KB

MD5
c9ae03c43b67a4e4986518fe3fe29756

SHA1
07221e0401f306487504ae9b3c46ef1cb5dec843

SHA256
adf41380b5ed3f73b8e5fb51f7f33b722f4db4600791cdf92033267c9971c4d5

SHA512
0ace7c3cdc18eb1e67971a5acd0a54e1c00d37ac556f8183dccede984cb6520660c9b27064a8ef5f7b706fdabd70e5e424b7b7271ff751bffd997cf2284f9fe7

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png

Filesize
22KB

MD5
8e058139e0576b4ad8d424bb21071063

SHA1
f584d2412c935aa8a7cf73ecdfaaa6a3cf87c064

SHA256
e86ee493e89f5dfce2ce8817ac5d1c04d8ba2b07a06ff0f967c0167562510df7

SHA512
9ce457aa516fb2d3cb7b4a08f2dd81573de301fefc6ddc877142a35851151407367605f00862fb77067d0969ba745bc6bc612a4440aa3017e508e572ec88f2fc

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png

Filesize
8KB

MD5
1a340e565e697e63b5a4ce51f7297119

SHA1
cdb4ca85700ed81db13b15d4bd5b77d41bb20d34

SHA256
c4bb210e61cd35f9a0a54fb941ea2e3bf6abde799bea1c78d24c761c9a3bc429

SHA512
92478fe26f9ea7454206a3106632534c5608d6940588f01fecfd799de636f11b003ffd1e5c762201f9a14f4ebb7fa6a711d99312b03914de817246a6008c7b35

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
102KB

MD5
0c8cf94ffad353d2886d03a32d777311

SHA1
603f57f7c85ca29cf792f0706a2fce885a224934

SHA256
99d8ead3ea04c76227065301f96dc5fc787bfee92eafdfe1c8dfa2c58d7eb10d

SHA512
9256114d08446fb40de6abcd8f452c1b8cca19bee1b2f73e319799a32c5be9e7805f98914e9ba2c863f25588b742d4eca1f0dc5b71647756e09342237073a024

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
64KB

MD5
177da7c6e03858197ddb42393f30f863

SHA1
f3afeaf603500fe1467c7dd06035eacb3fab35f8

SHA256
96f4f0d8f967010544a1a8cc47c762479e98cbee458bff1eeb816d7d03c6db31

SHA512
c76d097a28a64ac2be0bcb87545cb8f3759f4eaa4b7d4031866a36f5456535e3087b3cb2b5def081b598dd09e6c7b4b5962075a72f935630c07959f9b80dfe31

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
168KB

MD5
bad91c6c2389c1c3dbe8476e0e8436f4

SHA1
123a805cb215824fb3ca422e000d7f2d30b8e6f8

SHA256
8f865308d8f81c221ed2835653378ac1dbabb1fc15c63acb93e10097a3f84eff

SHA512
3a01f05d1d8c516e88077609e45d1c957ed74838077e79c142a634cc456fcbfad727d84dc744799df443dcee722e56072d721d38e82247331542cc39f95e20bd

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
10KB

MD5
558ffbddd035c7caefab83387edea858

SHA1
13e55b6d4571722310a3c4f0e2154d8885a33de5

SHA256
04b18b097569cc963db0533a15467399d48e3acd0c52ec3a1a1613ae7c8b50a8

SHA512
186f9dd4b502d15a4f96617c79fda146765a2a7df5bd5c6f0ef2fd6f3fdd8dcaa0ff2170f60445cb0daeff6aa968a4a462f48996dc76b3cddcf0adda12307533

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
416KB

MD5
4d20454cea17280649742dab78c15732

SHA1
efcb665863993a7a8dc4a7b3a291f55bce49de79

SHA256
df5a69e9269d7ed35640147a620270f6832714e635d89392f225afb109c7b378

SHA512
bee6131027667b9dbb8c25f76d0647f1ac2f510cc31d1439c1ec3cbc7baf6327afee05dad96b64688d1aab66d9ba97422ae2b7e773a6d124d25ffcc8318b2a14

Download Submit
C:\Program Files\Mozilla Firefox\browser\omni.ja

Filesize
42.8MB

MD5
a5984886cd84da639cb2b5304c608c0d

SHA1
e27b0169f6b082f4fc2182e9c96ac476e32f5eba

SHA256
e4c5e107bbd541bf2b706fb8cc02cbd39ab2b530b83e62c96b5d54132f61fab0

SHA512
9c5d07caa9955d2844b36c36e1a2712403e29e2b19c042e84a8a9498b996a443c3691f69bae4484b42cbf9e08ba76016c7a5362c76742ecdb6834636ecaa7c8d

Download Submit
C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf

Filesize
1.4MB

MD5
aac75d901445bc0419d56e56dbc18891

SHA1
3ada434f3a727167ce6dce3b865fa6bfb70ed86f

SHA256
6d90152ee0d29e82fe2a87793af5aa4b7ad13e6538360889e141e81ed299ee8e

SHA512
83fd92ff444ab6de18d48997247f49845abb8420a07b74ebc8a65bda8da69d28f87b6abe0f607b2fd7da398dc0f8cbe7fbf655af6d25785ad8b2f1a3afca136a

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll

Filesize
102KB

MD5
2e5f16b4b5b3fc4b56207b064fd9a8bb

SHA1
c4d779ca41fe3e7934f4d1f3d83ee7cb0528029c

SHA256
63e5bb85b61cab267ddcf1e444bdbc90373cfb979b2a1f13620d0c0e059e0d0d

SHA512
c41abb4bc562d4e5edb79edc8133e73e437b89fd568a11b40ae7f171dc3e6eec628b5226496442ad7318e705b46a62fd2ee9d653d571a0909ec79a1f8d8169f3

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig

Filesize
1KB

MD5
7cc23e5b1ce06f7a2ac133650daad7aa

SHA1
5c59435d639adf795dde04028200a1a4e471d914

SHA256
5a2b996051994dfcec213e8e90554c0540941b9327c02005e1c4e976a7f05f1e

SHA512
cc6ccaa923a333a5fe04f584edb3b4fc9a109b48e6bd3c77534da0bac767790f82fec56b461a84fc1f2ad91f8ab12cca4f35d6b92a2962fc992a68dcde18394b

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json

Filesize
229B

MD5
cffdadfaeeaaf0a5a78e7f9a299aa7f1

SHA1
7a8f06d7c91877484301ce8474dfbb1bde08a040

SHA256
ef47e83036753b53f59d079fef62bfedc749abdbcdb0fe16f448d9920f11114c

SHA512
5a11e448389326ddbd3be792d9a10ae746c66e4a41f9c96f4979ec71fde385fc4deb205a40f1b4f24415abd9d41c453ca1285f4b813005b1d12a2701f214db85

Download Submit
C:\Program Files\Mozilla Firefox\install.log

Filesize
3KB

MD5
e65bc9873ec7a17cb90c77d644f30144

SHA1
c0bfe0ec20f928f3f825a6297dc5eba45c998512

SHA256
f7eb662c522170e3e7ec6b772c52ca94e3751f1dac74940887269edf222d581a

SHA512
fc1649da3fce1d7aefd9e6de00e0f22d58b34d7ede5f151603dba60f475f678176e703101286d216eff5ef3aee1cb34b3b1161bb8577cb9611a6aeb8ebb326ba

Download Submit
C:\Program Files\Mozilla Firefox\install.log

Filesize
3KB

MD5
99cf2b2e90964ffa79c40e091c6826d0

SHA1
5c158edb1660a0e1fe6fe96388c5be13b6f5def8

SHA256
1caeff5509192349a9662fd8a69216c1d37638f081703987099ffe031cc7fde5

SHA512
3b791ed1d20aa137bd70565df4098302068463b1513616700e7fbe3b43cf000469bfb70931098c630251f55954668359b7e125ef2243e0bc183403d2bfa68c4c

Download Submit
C:\Program Files\Mozilla Firefox\install.tmp

Filesize
3KB

MD5
bd0852c25d66d5c3da76fc624d895423

SHA1
7366a0386aec73a60dc56cff41b47c306a4ad081

SHA256
ef3ced9f9521b4d077cb47333191b899d7781d13c8ff6983d0f036636f7af742

SHA512
721f6163ecc0eab81053fe08ec40378398cf3782e739df2253245cf6a8c06b057ae6e75779f3b8ecff7d2873f208d064566e028fb3a4019d6368831167f50959

Download Submit
C:\Program Files\Mozilla Firefox\install.tmp

Filesize
4KB

MD5
25348138ac469101f17a94ec97b3fa2a

SHA1
4f4fa973323c6cadffb35c55f29e00b489847592

SHA256
4fd785f8b59574a1ef28d273a91395160f8df32337e8b9143e72fbe37d97beb0

SHA512
a72948322c9cc1e42592decc8c0773dbdffab5c02d38b04e856b489d53a25b3d71bdc90879e520c278e0e8597721150c6eaab79d8e67cc994c5c82744e7a5cb5

Download Submit
C:\Program Files\Mozilla Firefox\removed-files

Filesize
16B

MD5
fefbfac37461bd30e05f5befaa1f7705

SHA1
74f9024662db06184e645cab76bfecb0e6897545

SHA256
52523da24287c4d459131c2e4818a713a732765e06e9bbba1cf353888ba34f9f

SHA512
874d6bdef28dea531c858443810d0b026a3a5667e0b9985bce84b7c5ab63d06a015487bd1da2a914d28af7b6568335b1927f9fb9656715947929cd6671ccc4b7

Download Submit
C:\Program Files\Mozilla Firefox\softokn3.dll

Filesize
314KB

MD5
92b97aeafa4779cdbf4e3f4e22065c80

SHA1
badebe5664bd84c4acdf974bd833c820ff728aee

SHA256
f9e9fe54b275bfc0a4c752f9f53b495129bad91eeac357b7b9d510f7bcc339c7

SHA512
a5ef1d8f50d580be669c6f23584ba7b54fa3aec3a06c83e44f19e0f66e46c738828e7b8d68c816cf9628f3d6b4126a2ab0a71b5f78638bf9d698e67aac9b57f9

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Filesize
1.2MB

MD5
4be3aa2a4d842050fb70ff241eeb5fa3

SHA1
686aa73581471b44247278ec205dc2648a311d02

SHA256
032982389fb8621e768590ec186c79a769496a456ae4461bc5ee07080ca4b21c

SHA512
8a8fe241babfb319eb4da6641180e23850e9ea43ffc99facd0349f81dd4cbce9c320e453656e2e870980f3575ba6022b23121397255bd8d8f1eb28b1240e7d91

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini

Filesize
222B

MD5
4b8dc92a079f224935392f9b5a2dc051

SHA1
1027fc1b3e2e8ae78c60bfb25c5c9f87f9b3cae2

SHA256
79d1631316cd79bc5127f745aa6707b4445f7d0432b685ef2c3ec3cf3a62ecba

SHA512
ad0186cfc9df574e4a3c7c209b5dc3078fb86f6b1de0008bdede6768ec08d61b20f371d7b2d01dc50aa7d094b150db816358f03fa0d9135ce26d80d8886a1704

Download Submit
C:\Program Files\Mozilla Firefox\update-settings.ini

Filesize
132B

MD5
1413131f8cfad1e19d299667bf759087

SHA1
a0435cbf1a2817ec960c56a896d455e78adc226d

SHA256
c18489344fdc21ae366b4d957a0b9f11be772483ca46f9ffab6ed0356f946513

SHA512
590b53aff46903b1883c5fb14492ca85db2c6e0e900d0fdf62c3e6da10f1d10c3aa51224dc6db50f4eb12d42de017892f77e91d79aa16fcaefba10b27748748d

Download Submit
C:\Program Files\Mozilla Firefox\updater.exe

Filesize
452KB

MD5
b9d02351e60c45f9ba7ec395b2638bc5

SHA1
c499dd507cdf95c9e9ddc0b4e36bdb24a726e7e7

SHA256
2753f0953f6ae91768e1f150bd491a083197fa3c94e2f0b62ea0c09965bf9bff

SHA512
1ccc47fbda3a0cbb6d92d3bcf130f681cc7395fe939b0f4bc096cb1dba133c25b4b82446dec9aad61eb0952063c6d1cc9056851a7f6c5bb7f135b1c6d6c7487e

Download Submit
C:\Program Files\Mozilla Firefox\updater.ini

Filesize
1KB

MD5
7a6cbd521497f6dd382f7b8c6aaa1eb5

SHA1
a0bccd339f6d045f0aeb4de504398c97c3dc2be0

SHA256
531b55d2224efa181b75ed4ceb84e4f854f26c2382dc411945515d57d8df2243

SHA512
af32b8b1e93c2fc1bb6c7ce0f371c8cedcdcb753393e8cbdf282424935db5f8f04b3468d450edc81ef28d8b4430d8941dacb2d8826d28be9065dc787c53eb553

Download Submit
C:\Program Files\Mozilla Firefox\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Program Files\Mozilla Firefox\wmfclearkey.dll

Filesize
195KB

MD5
20d82c6ee0eb0901be94e353706eebba

SHA1
24fa38d8b0a081ac5a0b07aaccfb96340694cd9d

SHA256
b1a2fdfcdf6516d0cf39c31c0bb367e952b1b422a2fac638e4cf42e2b60ebbb1

SHA512
3fdc1aa3e4197a2bbc14e6ad6a0d3f921ce33c39873c482f0c80cbdeff9b3bc07b9c01217339b5fa3d5563ff28a8abd7d724632096ded134a5f2415bec73227a

Download Submit
C:\Program Files\Mozilla Firefox\xul.dll.sig

Filesize
1KB

MD5
1efe161fffed7b1e1883e7f9218820a4

SHA1
09fbea927504b1ecfed74aeb443b743997363279

SHA256
92d0e62c8ca1f366201e279fe6e98d22ceabe544822150f55ca93ec7d945fa6c

SHA512
ca03f1fd71bca420d98966034206757c6fda51c127a0e42c6205b8003aa04403187d46a97dbf4f20dfcba1d45803aed1d2670b8def060032a42466138ffe4006

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
914B

MD5
74de4c89a7a8c584cf99a7670e41b7d1

SHA1
b3d1136ed57781c2a35ec235495b1e981305b0f5

SHA256
855de90efe5b2628b3ca3b2ef9b24900d363532db502599aced44548d5ea2078

SHA512
342fee81f2110ed5bd0005250103e1a524a264599e2be4cf1eabae377a0c33e0ca13aa5ac43ca4eb10dc95a3cbd55abb75d7ebab473c290f61f676af02988899

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
1012B

MD5
879d7e0512c85e0cc1679151c2642fd5

SHA1
5cfa1fa2cfb1119fbdf3529303ee090b6f8cb48c

SHA256
f29ac6ff998133a81cd9506e74f15b2c8f7d0f1bbe64e3959973d1a28ccf4e9f

SHA512
5e89c8f2553932d6f0761032da608dcfa0a1ac8894454c738984daf99417a3232bf798f4ea8f711e7fa73e4bd06e70ca463bd18addacf9f4dbbc92fa664bd4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
380KB

MD5
646bbebd84d5de5ee4fc6f7bab7716f8

SHA1
3a7b06d091c4cf42f7a8fd8f84179149f9889a90

SHA256
774e7a5637e2672e09100cf1d863536e57e6287f130badf56ac665acd324c36f

SHA512
38c519e13eb72b2820a58e9618de13ed54d92b43ecabc218d1bf8da943471f4e338abaffad708be69ada917aa7706ed3976c4e2c42a46177555629770a323253

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kvgg58fx.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
2995d70e85a20b99f7163b4de596fee8

SHA1
56e8d29ac206baa84efcfcdd07a9a1d1bb6604c1

SHA256
5ea189de0ba75d41918826c630a1ae82c24727795b67561209817979fb996595

SHA512
de7451bc5d1f3c08fa6c7d157c9fdf83f9f0b583bf92d677434aa9f514a0c2d0d918e18642f7572eedd433771a13b674ff53c028091cd6928b7afac68e06dac5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kvgg58fx.default-release\cache2\entries\9B91FE023BCBD56290D7B79EC4B65CE35262CC43

Filesize
13KB

MD5
ca9b452a517c4bde98efb35ea0b995ae

SHA1
37f424905267408848c1407fdfca6e702c774951

SHA256
2c444e1e684f627abd9a187945f30e6b8379f238c83b4be2e622bb3fa0f21335

SHA512
6903df18bacb098b47762bbcd193870a6dd3778e03145327ecb15032e2ad6655beca9c626f12aaee2ac81e46abfa7ce9a58e2e1c75724d18fe8ca312b1941ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0B8CA317\setup-stub.exe

Filesize
407KB

MD5
27eba7c268114cde294ba56de94c1814

SHA1
0a0bbce1beaadb36e92bbcd1ed7de601e79528c1

SHA256
958aaac6fec9912ff65b7fa3ee87df665ee38ded11c90222b82efe8569847c9e

SHA512
5879384d9d22771b96db3b37ff9fb625f5c09ef3aea75919889b4450cd1efaa73c61f017d4a32802acfe8c0c90a1ed585062eec1b1331ac0cef8c45e31fffb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\AccessibleMarshal.dll

Filesize
30KB

MD5
48e6395aa12a6d36cccb45e2a95a0e16

SHA1
0a4330262982269a353e0d87632d0bd7aaa47849

SHA256
430c38583db5894d962925687bd234e69a47aa1366e3740281e8f2f0244ab618

SHA512
15992a3bf4c8a66a6f854f972d6d84a213a5e07f950e61c28aebda940b6341037e3982a79a408d402a8197ec0e9eb9d1a3e38ba41d0264f72bbd72f75bed4491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\application.ini

Filesize
891B

MD5
17fb24cddea6f570edad387333a9fd92

SHA1
f6d68a39933d96fc6938d185104467379a0a2aab

SHA256
4befbbcafdcc0a0aff0420e84469b824d1bb5c83c04978323a86b03ec16b935c

SHA512
7253532c30d13498bc509c9349b4d689ebe5a8b22b304d327f60324be132c0a87383e4a52e5ba0a02b27ff93afdcf47065aaa3792e676ae1872c4f471e7b6fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\crashreporter.exe

Filesize
928KB

MD5
0890d61f3572c6bfe246055ebe4bdc40

SHA1
ba40125890e82e260fd866510c75d8b769e0de2d

SHA256
e5d86f6040c144ff7676a9bce1c4c77447006814454573763aa3f496f6b32202

SHA512
83ae9db80f853c2903a7cec31768b77a5a805df4ac19c48e7a766863786c76ab7171011541ab6144c9c1a4ed8b41936045901ae72b3d9f79f406755858bf3e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\default-browser-agent.exe

Filesize
32KB

MD5
fddd54f6434685e7dcf2b12dad804d03

SHA1
239986d46be5ea69b6e418dd5478966229b35f23

SHA256
942e98f96302bbaf0e444f26b5ff9e630bbbc6c8fe21e75773607edcbacd5e36

SHA512
a23439ffd65ddb6c83f744e1a2f89d2cb738861cb551dc7504fd5bd4e1af3f2178975e3c9ddd6d775059e516fb482e3f19e42f718361be96bc760c53c8a48794

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\dependentlibs.list

Filesize
55B

MD5
a515bc619743c790d426780ed4810105

SHA1
355dab227f0291b2c7f1945478eec7a4248578a0

SHA256
612e53338b53449be39f2e9086e15edc7bb3e7aa56c9d65a9d53b9eb3c3cc77d

SHA512
48ecd83a5eb1557dfabfaf588057e86fb4b7610f6ece119d6d89a38369d1c9426027520ce5b6d1cc79a4783b9f39ac58afb360cc76e05bbe8bbbd5128c5d395b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\firefox.VisualElementsManifest.xml

Filesize
557B

MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\firefox.exe

Filesize
659KB

MD5
7b12552fd2a5948256b20ec97b708f94

SHA1
77890049e95011b52dcc6d4f02e500452183a1f9

SHA256
5218a481b56474bcd4630174f3610011aef30f8b5ce2b162c2401eb1b0ceb5d0

SHA512
962104aa28571b23b4bd49c59b75d1f35e3b93796c8e338d8294bdb7160a2652d3ebc1a8edae8fca64df71aeb79fe644d10efbc5a4796e58d7626e7748d13d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\firefox.exe.sig

Filesize
1KB

MD5
177ebdf0fdfb0ec358b509614576c8f2

SHA1
3d50fe27b998e883ce76c62c7baa71ceffa878a4

SHA256
3a99b564600c2a39b66edfe4fe493c74beb6e3523b8a94a9596aaa622aac89d2

SHA512
98785cc1e180753efed92aea6d48081528b1d8e7cf62152caaced2ee323493b0f067283f5faa5b5314ab5fba1a82327bbe1c87e5a846fe275a140605dd486329

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\freebl3.dll

Filesize
977KB

MD5
e7c5770ab12e521e1bb3d7eefc082c41

SHA1
b69096aabdd4d64d6108469339f431295096fd7c

SHA256
826977fe4476062c842162406e0a4a2c5ade5b6ae5547afc75b427d34fcadfcd

SHA512
dc3e3c3b7c154af8d863fddc71f98c1f496a2983f04b2af1fdd218f62694cc5fe2fdefe8ecd6929d848a51e768d717f8d463156845d19532baca260124100e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\gkcodecs.dll

Filesize
9.1MB

MD5
5894398d65b5995201b89017966eeef0

SHA1
ea2dffd0bbf29cf23528104d82536e01c5409e38

SHA256
aa4a973b896035590687f23909d359a96e4eb0043ede2cdf86f404906b3b7612

SHA512
2f3b1723ac8daf0f0bb141741fa21dcbf5bad7560592f859326ab7d5ed0497ad4055d38f3f911e18bab104a30884e7d792521315e591bc9f83ebdcdf7e9bf4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\ipcclientcerts.dll

Filesize
203KB

MD5
3a37090222bce3a31a78c88e9e7200cd

SHA1
a992afdf0315b792db4a49344d026442a40c7f91

SHA256
557905481764bbfb09e2c6610411dc65233fd5ad33c6d7a06e5b9c0843e722fb

SHA512
e571c237442351caa47c9b6cbec68872098518a40bee1d929b12e80b10a668b352d6eb586b9ff22c6b47de8409324347aa7efd52e3e58c0638bd3b473796d9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\lgpllibs.dll

Filesize
151KB

MD5
89971e59cb27757a4c5e379a565e0aa9

SHA1
acdc9f2fb1df0380c3a4471ed0e08be15100e45d

SHA256
015416a1f39dfe40a2f659f058c8b95bfed2ff1ff38fe8aa1cd02bcd8275c4e3

SHA512
b7ed83c3e3febd3afaacbeb59b3a871870ff4238943becdcc8c5a680c785f43754907b57c23ba3cef939e4413faf5d34d88e34c1c0360527ec70cb170774c198

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\libEGL.dll

Filesize
46KB

MD5
7c47405b6a596dcc4c115a8b3081440f

SHA1
5e013d1694989a777216f76c4007489f79fe758b

SHA256
0b4baae6980b41c6e81d7dc28481739802962245894ea525c3064ed25d0823c9

SHA512
e804696fb419503f20d8136982a4426a323cce2dbf337d0e5f2f3dfa22e5c4ae7f4509867d8d37ab958ffa8fb231e291dcb8039e1b4ad6d5178b13ecd087708e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\libGLESv2.dll

Filesize
4.8MB

MD5
9e920dda627a6854f57ca3cb897fc889

SHA1
d5e92e8c0c9782eed0021397f29e42ecce2725eb

SHA256
cfd1cf812c15f9b08431ca4bfea537c778b45442b03f3bbfcb7303d5908c48eb

SHA512
02b2a60e323baa9fbd40e05ed9f007abc87a546ed6b34e2bcd3cbd1036e5833a4cb60f1e50e3e47226809598603e34d50c7e1dd2532e3fb1f8111dde0c298a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\maintenanceservice.exe

Filesize
269KB

MD5
e978d6151b66fe13ef6b623a19a092f5

SHA1
8805b92ebe2e78bc2d0fa5b52fa7c02ca7728e1d

SHA256
a45b4b6e3ea4055a8e2302e4a268d527ed7e9acea5ac1e982ef09fd0dae38f66

SHA512
b04b8d71afe90a8857c4efda0a16c9c4e2d6d0f393529ce661b3b8edab1bf92b974eda74c2b893ac5d945bdf376750a9a3932096d85b6823c4e752a19e105a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\maintenanceservice_installer.exe

Filesize
183KB

MD5
7d30691578604c8e9ea373d211b33f1d

SHA1
d4f53147cb62abf19539363ee5180324fd9ad2d4

SHA256
22e0581491bacaa48b5e20f0459fde0ecde3c7e383756c87fa4831ae0117e35e

SHA512
55ecde7c810bef5a4d78d046ecf355ac8547d5c2560c4343f016ef50394d792e31c0c3fbeb59f88333681f50c3216ef583219d372847fa5cb11518782d6e171d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\minidump-analyzer.exe

Filesize
752KB

MD5
7403dbfa928c8ea9292a0ee5fb5357b1

SHA1
18cebf917e836e73dba905aa46d47b7e40f0f1fd

SHA256
529c2900639682b41a27a9a2fd24cccb5ef22dcf4cec798652842aaaaac144cb

SHA512
76fe2f79b868059507b65a655f9f6d18934f918740d9b8bedce937ebfaea90fb394c89febb07fd6bca9d87ac38fb8e4d57e6013fd47bd96eca20ed175486156a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\mozavcodec.dll

Filesize
3.0MB

MD5
d78e93b0db98c0c61093b65aace07d28

SHA1
36d552240d8e0efd520e594c9f741281e2c07170

SHA256
64e4ab387da542eeb5f7c3e94d78325613407eea2b20c423e189a7d5b7a861f4

SHA512
73f98c9d20a892376b5f90dca923180a6eada2fdec230d2757424d3222c109da9222377589b78360c5e5f6cc32de6f72195b29169df770f2806df04b101ef64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\mozavutil.dll

Filesize
560KB

MD5
cc369f71d70c47170810f5c9216d32bd

SHA1
6439fe93e3acc0fd8cdb51eb4d8d30de03b81a2b

SHA256
0a3fb828cc9e1c67f31e6d8a2c40431182c89cc312b1f6e9e8a019f4c75f2f8e

SHA512
56b65d154a47f0e63ec4ad6dd21d946d775ae7ec41131e3beb872e4d87d64b1e997945620ea164b5b7087f92d833cbef4c420d8058f8cb1c821325a26fb4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\mozglue.dll

Filesize
1001KB

MD5
1585506187ade02bddf457732ec2d333

SHA1
00da4ef4ad23fd4dbd62d608a1518d24707a5aaf

SHA256
30a42964ffc0ef3d86b96231ee59b1d0b706e0e72449aaa62a4ace21ae93cc4b

SHA512
68a8295f57b9b75458de3814e151d6a998a621b21531f72696682f43684b944f2f73013ba4399d9128c4f6511726788a83e6acacfc5f2fb16632d9f4cb7e9b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\mozwer.dll

Filesize
322KB

MD5
e87dacbbdbfc5afa38efbc11a5e21cbe

SHA1
e2f9a30bd32d097d30f05f2a0dd6bbe050bc4b18

SHA256
d8a6117d8d8c76b33c24c206b43b6a36424b31a488965edfb8cca3dfd2b486c8

SHA512
978f1b3ed2363ef511c15ac3ae7875aa41f32018c574921b2be0531e89fd50a31c4e30adcfc9d0c6aa204e14757afeca51d1c081aa83b06c705b6078a738d7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\msvcp140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\nmhproxy.exe

Filesize
626KB

MD5
16e1e5161c478e0a9331ad98a2e2cf90

SHA1
7a667641a1d4145bc365080285d316068fb7ac6f

SHA256
6165c719e77098f65682b90df4372e4399cb65cae3997790a6aace9b7d6580d0

SHA512
d8ba0d119891fa8d3a184a115844693092a6561ced235cd1ebaba86e7d92690f92444885744a6a70703363d55bda83387ce541e3dccb14fbbd85badd6cf0c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\notificationserver.dll

Filesize
59KB

MD5
c55c2e64b619f977dde99f6fbb18366f

SHA1
3a45960d2b04e5474285a67d019dded3ae328788

SHA256
dcafb39a979e3e3ae860fdac4e73f0a467b8f8e21e8f717c9525d9fca3ec1eb8

SHA512
afdeca2c254874e2ed5d46ff7ef786c1570d4f1b5d228d1dcc954571059c92e3844cea387bde698f743f31a46129f44ecc530068a6f9e9f89670e100346070c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\nss3.dll

Filesize
2.6MB

MD5
23b6183aabdb6f4250bc40b0aa683731

SHA1
900f3e7ab2fe553a76956184deb9605cdc926a0a

SHA256
8b408fdcab20e6dbd02f2caed4ecab78deef8fe9014aba2211e3b54ab587a4af

SHA512
e642cbca933af064f316c69ce6ec520367adfe6b0b73a8e50aa4fe1bb0239eb3d35308ccb2e62cfc67ad89145ed11437eb9fe924cd5af1aeefc0d4c49ddc3388

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\nssckbi.dll

Filesize
365KB

MD5
90235b654e44a8bbf22ccffa1b6415b2

SHA1
2424191698c8cb9976454f085b1b13b685d7f9f6

SHA256
75301e616641cc4934ebd52d47bd72f513d0a0f59e398f88131476040f1f4459

SHA512
bf1d1a79a3415f325f3137258bfa8a6c0f1c4369637314b2e50ebe379d185ba71b9adc6b43e94d734e953ef32adfa322d724db18619aaf9f86df93e5fc0bdbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\omni.ja

Filesize
32.5MB

MD5
185363c13a3f1f9e12814fcb62345ad1

SHA1
c75907c507bc31b5a6e4206130e135089f0a0f44

SHA256
648d9dd089a754dd38032cc12d9663d9bcabfbb6f10c204c4f8e4f435cedc013

SHA512
a321377169625875f5456561a49c3a2bc0f75dcbc344923befd85150ce560ffdec3ef5b400f7a9a460dd4518e32919d65ee5b94a4b0b21f3a03ee84b7195193e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\osclientcerts.dll

Filesize
355KB

MD5
df72bf9194937b5a9d4b5908a0207b72

SHA1
80317022c25c31afc40be049f567403c83b036a3

SHA256
067057ab966050247628e91b8d2d702315bc6f14946d18cb86672b120fbc9858

SHA512
f2fa9cae34058e99e07df5531594387d5135e7482a665e1c10028966343d289021eb40c9c4271e236ad4c8138691662cc6d032e45f4339a67fbe5eb629a2d77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\pingsender.exe

Filesize
77KB

MD5
e58eddaeac461dc1db38f351b70a0ecd

SHA1
c8c87ec698e2982a2670c8b553c0a9055b9d96ac

SHA256
9a686e1f26212e1f48b1225412dde7f5e9dad7389802db4eb9ce20ecc509aeaf

SHA512
5a5106fbbf56e58e2a6e4297b5c9215a6e091235f234c150efb39b815254e2e89125890756c160b63ce2b01b7708023acca4adb19f2ac3efaea0d4f906467b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\platform.ini

Filesize
165B

MD5
b9df358170ecbf0f7104512a032a04ac

SHA1
91cf307c08b49873fdeecf66e93d61b9aca6ed80

SHA256
a592ed5e8c8a2f50f7969374d3c34ec145064782d10d57eb39cc080d9c886dce

SHA512
1bc044b8bd2104f71d789eb3e867d49445bcc677687f482541654134f83aa2bcb8ef48f4fdaff7d8afee1cf8447eadd7a4989526392c2cea32c3688b0cdafd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\plugin-container.exe

Filesize
282KB

MD5
a8182bb63fa29f800f6463a6d76de922

SHA1
c8183e345c28a59f96377f79b2eef7b711a610f3

SHA256
f9c85db13e3117df748f3e7871d9763f5bbe80a217562fbdc5fb2f09bcf51bde

SHA512
dd5bb0d4f3478cdc71ca42f30d79a3d95807886291a2caad0e023d1a44c358cd2e965058ae5bb8c649158f790d167308dc906d712de6c9ea33f35a6a8d9c1a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\plugin-container.exe.sig

Filesize
1KB

MD5
6d0c56d96132121bb61f8140cde7c59b

SHA1
ef7b91d24f09d907d509c76e01aee6215b0b6fe2

SHA256
48f64ec0295fe25beaddc70099f5a4b698ef6a1ba4d0301019468fc81481be96

SHA512
81fe4cc284ce3c16031ddc0fc5efc94870b647f1461d20d2c2c27c9164455d7572c13d8d671e337b099f9921056b1585c5aa85a2e01df2c8d9d15d1752299a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\precomplete

Filesize
2KB

MD5
2363f635deeab900de46c9cfd85648a4

SHA1
fd2ab0fe5ba395025b9964422d21634769859f23

SHA256
9754a6f4f6bd15228e53f84c6c47deeff815f07cc8559616d640211bf7244177

SHA512
cbf43d11b3d35c9284ffc9be100fd6a6865919f7e09e6ba87fbc99995f44874477fed3b67c864c7c37668682ff45ca5e7f1b86ff916695e8817b48d4cdc8360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\private_browsing.VisualElementsManifest.xml

Filesize
559B

MD5
b499ede5c9228c742578086591193efe

SHA1
18e682ec73ed8fcea99893142fa8b08ee8a32b72

SHA256
9ea86a18d41112e25b17454044ac29b458f508d9814700a6f4c0f9370678f3ae

SHA512
b99ef0e9152da3bf6adac5fef67b44738ae7a2d1ef0041786a5700b8389acde7380f1bc9bf1402c7a356f1777aca7c2b05af5ee22b7297bc879fe2e6b9741f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\core\private_browsing.exe

Filesize
63KB

MD5
9e7942bbe1c040a1dba5f59e9720904a

SHA1
82dd19feb2ab227c847e0c1aca2d9ef916555c8d

SHA256
f7fc3afeab32161896bd31c82f7348310334ab4df22637e49dc8c3eb722630b5

SHA512
192b6240726d835730dfd784871dbe0b4bc39dfdc582e8f66aa7d1574242514fc55e27cbdd7b502cf6318da26486a8c5d4b570d53d9422d164d4b1a38e2a3a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8DEA6047\setup.exe

Filesize
940KB

MD5
3449a323ae78bad23d1e76586d1b63d6

SHA1
fe72d3715a0204febb88fa5192c073e68778990d

SHA256
cdb3ef2b1def8390b012d5cbb54c3ec34a4688ae7a4a7a8d89c40f1bde9eac24

SHA512
a917adea486d2b04558c2cd7a4e2cd9d4185cd44a834cf0f54b6d7e314589b2ced98c5a52d2f5748fd8182c9fd654a7e4a28d29f973218a9119c233b2de7cdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNA0FTDAadW12O3.exe

Filesize
306KB

MD5
b1ec7bff4192f75a0a53608047a190e9

SHA1
7686a580333e8d60e1806418c8467e85beab4d2a

SHA256
134e9f12545c3300eedc7a5644c28f390e00918a15fbcf2143492810ab4a5474

SHA512
2af2d71ef3f292888adbe9836ae8bb3b1a8f99f4c95be0565515adf544c989e4ff722342721500b0aefc5f57178a1de9a916c4096c3f6722b42dcd0063cd6067

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\AccessControl.dll

Filesize
21KB

MD5
eb7a540d0d2e28f6bf524d2cdbe0f478

SHA1
76204991c60913cffeba5595033c4f79e1e89bd8

SHA256
ef4b548b27a6edab3bcb25cff0598918c645795850d62f232909dee851e04c6d

SHA512
947132d07f7875dc99fbe8a87757f6efee0a8c6271f8a3bac6747f9f4f60ed7e203e28a588db8c55ee898ba8f3dcf640f6562c49c45d6c6d8fdbe2d2309b9984

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\AppAssocReg.dll

Filesize
14KB

MD5
012461cad43cc5a871bb2019a461a2e4

SHA1
75617dce95008117b5b1bd602bbbe58dfda4e6d8

SHA256
eeed86addbf5989fe54e862e68e9a287eeaad11b209c26de67ab660b21445e15

SHA512
f1c42d0703e5c4fafae2fab90a7c23499e8b72f9e04ecc10602d1c48ca08781000cda36af86577b3e2380684ca442db54668f390822f3590b6dca6507e80fa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\ApplicationID.dll

Filesize
55KB

MD5
fdc0338e6faeaf6f7c271982e103473b

SHA1
9a41f7932abe8be7e32c6371f085cf14de355d00

SHA256
a9dad9fdaae93d10dc2ee346b231913445e731049554b8bb1506827e46f8a44e

SHA512
a766eef11db4c94b1445d1cd70cf1d3b6141d6b3973562e9fa8d81c79195886b884dbc9b9f6952f8a6e8619534a6bf2d615d539d2cace9c8843dc19415051cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\ServicesHelper.dll

Filesize
14KB

MD5
b9e8c2212ac8dae4b0eaf97c048529fa

SHA1
331d172323480b0518abdb0cc9e256dc7f46c357

SHA256
d6f6758adac2c073bec481e8de762af3a5574789bce3f43de02356afc9911e0f

SHA512
d93aa032e27c8268a4f6883711cf41f7ee2b5d33673a26d78db24456f2c548af39b7b98ed4b4737245c278d524fffb3e4bf708b6815dc866acd371427ff6be96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\ShellLink.dll

Filesize
14KB

MD5
fa94d120efb029b43217c66bbc8c650c

SHA1
1fcf2d76adf69b403b7400681ac91d50ed20385f

SHA256
5f6f414b412c72b10f49eb92af1d368ede531b58fb200d539fd2b45e371612db

SHA512
07ed0771d5bbb651ea7421a5f6b08fa234f9cc041315d9360a7135ba12180064fc99a27725385a8ecd3ceb25bed5c00de169f7dabb3ccf6e987f45254dff8158

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\components.ini

Filesize
610B

MD5
d99af869f79f676872a8999b25e9dd22

SHA1
ff35f7cf1414cdacd7cfcaf79e4030a53be578d1

SHA256
9bcc1706834feed083da8e2d4fde24cb873efeac9c7a876c1b297bd3777dc83e

SHA512
65680e09d81515562e3fb81e89e273ce15dc76272cbddb7a1e47105c61f2b226044c05813aa689f6badb1626551c4f46d82398ef46ecb4a54aa52b1f9d2ca621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\extensions.ini

Filesize
44B

MD5
c9b5d86a9a0f014293b24a0922837564

SHA1
3cc73b4a30a1a0bfdc6812bbd17994f53eb5db2a

SHA256
775c85f3552754ad3794b88c0cb6d6fc43d412cd9a87a4b9e847386a5bd0a9c4

SHA512
790f365afbe4c5a37dbb56443d38f0c439eadca002e4001d373d6db8c1d80c4adacf3749e9d210cd0316381682fbbc46616a3fa36581c7ea6f5ce69119944b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\liteFirewallW.dll

Filesize
19KB

MD5
f31ba98a8d87faba153eea134968c854

SHA1
da0865cc1a86a39367f22897e1f9fbf4fb1f804f

SHA256
708fb54cffb6aea3547fc5ac745d1435ecc814df563bef59ba7a94f57d082bbb

SHA512
d991a2dd5ef537b25898afd7b7e73274a3cb8e6f5fca1621af22ee2761b82baf220aecb0c84434566742e2ab00b2f57a3740ce9831e76d4e1829bac3e044c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\nsExec.dll

Filesize
17KB

MD5
0e584c7120bd474c616013c58d51dc6b

SHA1
0bc980892341b52985d92fb3d8fbb6be77951935

SHA256
7fb626aa05bee1095633a75aeb7895ebd816a98e0aa1581a0154e4c196de5391

SHA512
aa3a471b3f33c3ffdbe1b1e3c1e5d04367bcab3c16049396a8dd12c5a8317e4b153761f74f39b756dd4fb1806aedc4f1bb38bfbc12f16480eed3fd3087a0d157

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\nsJSON.dll

Filesize
33KB

MD5
e832077eaee06f3b2ac9a8d2e7264567

SHA1
decbc329257c9c7fb67d3c449b4c5dfc1f87471f

SHA256
705f4947fb94254c4e5084e6a962045f6a4e790dfc1ecf59cd0fc3feb38bcbbf

SHA512
c1bada98c52ee2318d23c48fe202380eb42c5e1f18226cdc017f264c8c34f548bfe4d9b6eef13caae69ba321a71b199431b249fdec65f8bb1c386810932ccf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\options.ini

Filesize
1KB

MD5
f50ac2442dddb1ec2bd0dd5410fcfbb4

SHA1
13a4a1dbd6cad83aa6e5d9043b6d98e1bf4ec371

SHA256
89b31e3fe0c4390d252a686512bacec6f53e3f4da6d1f12bca2866d4ba37d021

SHA512
697bad94809681055d19fb03f8979c79bb948bd01888392a0fff37b30fc87f965e7f716c0c28de6df6746518a5d5c26006e3a313eecbc6f8bdbed25d39d6f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj760C.tmp\shortcuts.ini

Filesize
874B

MD5
71851e095439dfcac9099254c0881673

SHA1
d31c9dfade1d31b937872dd6a8761c4c117ef588

SHA256
97ef03760837f339242d39927e0f9fa046669ed66b9a413b853ea8b6450ebfc4

SHA512
1025ff9cfed7f064670b43b401f80a2a805354cdd0f3a348c3935e15e08d67d9fb05d028b259a66003403425d842d5f10aa88e9bb57563765cecb91e85ab6c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\CertCheck.dll

Filesize
4KB

MD5
837429ef2393bd6f8d7ae6ab43669108

SHA1
bc1a6e461de60db2f3036778c761103c02374082

SHA256
9e1831bf44b75980903eff8446960f21ab323b9f8249ddb49519718d873135d5

SHA512
c9b464377720799030e7303ea98acd38dc56ef0ae613ec540a5d9907d84bb7c455f6e02b38073901ee717bfdbf92137ab095aa9ce047971b6a2e6d3bc9d039d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\InetBgDL.dll

Filesize
33KB

MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\bgstub.jpg

Filesize
17KB

MD5
49de6374f83191fde6836418fc489837

SHA1
7662e9717a996101559db15c16573a81e99de833

SHA256
04009456682876f46abfec45f629f1d85dd518f05a84d8d4700b56f2060fd071

SHA512
0a272b0b73da08069793398e6e36b45f8e3c7cd8e2b62dafb42e79c194041df8b4fee1c312cea76c86a51c7557ffe8cb2f4b6b110c6e70ee66112d76ae5fbe81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\config.ini

Filesize
187B

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\nsDialogs.dll

Filesize
9KB

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3876.tmp\nsJSON.dll

Filesize
18KB

MD5
e89c7cd9336d61bb500ac3e581601878

SHA1
45b2563daa00ba1b747615c23c38ef04b95c5674

SHA256
431fc2ed27d0b7a1ce80de07989595effcc3ffb1dea1af6c0e178b53f6bd2f1e

SHA512
09485a354ac4ace6084cb6fcbd92eee8488074763c8443638f78e655e45e8aa0fe40a45d4ce0dff116ed3a4bb7bc4d7d845a6ccf0e0bf35533ce81626a8db06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\ucv6asry.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\AlternateServices.bin

Filesize
7KB

MD5
1cbe4a52c3036f2cd47f39f209893fc2

SHA1
efd73abef293749acd7e745729850782382bacd7

SHA256
b33d4c8db09d3d153fe87860a6fc439a18f81656e6dd3e7a3edd484d4fc77651

SHA512
d540b8cf2a7cb27a0123ed2931a51e2f30c081a320cd6b11f90f1904001ab69c451d3debe486dc892db797a1912756bcb766f17b49f094b6d1e3242253190412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\extensions.json

Filesize
49KB

MD5
88cccf72f74c347b299f8737f9362663

SHA1
87ec20a8825785ebd03784a838ae84df2e699ab3

SHA256
b6698644b010b62757133deb00c348abf70c138f15bc3b9607b8e96691180135

SHA512
edf4f1a01e085db4e9959bb87c1327e38f3dc08510fd8f3a9cb987706e30c78ed8639906262168abdcecfe10b53e8375d48ab5802c79475d0e7dbdcb02f844d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\extensions.json

Filesize
49KB

MD5
11ec8e2e620b58fb420a7408ac11ba37

SHA1
990a59e9646e51be560ebc0194e01ee4838f90a1

SHA256
f6436baf24b90a43c93ed6c6a6cc75f993b34e7bc872cfd1d1ea37accb5f1767

SHA512
71485dea3c31ef39c01c428c3f4c4623168d8a9b2b4f75ed13747a3f6391c37313f9b64950781b3fdd0316add6b87d1cf4b73a65b1b006d2f834e257e3876f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\key4.db

Filesize
288KB

MD5
8444d1923bf4798bde1382aad9733896

SHA1
8f1f3e8bfbc65c2e9e6ae0c1eedc6ac59858ecd1

SHA256
1e232bb89ff517bffaefe92e993f9f0731bc2f109540dfd81be2ccae7ee876e8

SHA512
9b42ec93c312d7ff09ffb9b08430d9f58ea13db21a5b6fb6e5fa5be1cf989a761200c57f96282c30ddf8626c9fbc85485098d6b47c8f839d45078f5eb814aa65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs-1.js

Filesize
7KB

MD5
703a2fcf1bd91cb671847b699b7523bf

SHA1
2458f01c6455285bcef31da518bd712b2c25a8c9

SHA256
c009c634fc2a096bb62d8ad985848697648dc7c6cda3affaed56a1c511a5948c

SHA512
ea9d0916703b31a790eb8f21b7d9c861bffb47bc7a0e23824dcc3134410644b90e0a73c2e920d9309554cf5397e7598cc867d09fac60ad76f1fef0285d8b8444

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs-1.js

Filesize
11KB

MD5
9678ec6af8a0f56b091a4c931698e110

SHA1
f37f0e88a21092fd2f6fa47683de2e2cb89ea80d

SHA256
5b7a8587eaf9b5c44e131baf526e1d5965f171aa07fcdc2d7e19d9fe59b58f76

SHA512
c8b0ce1522db17e4f25d04cf48561edd2c5f100b729c622d6c4e98123aa2f3c7ef8cfa44ebdffe70816e3a6469b6917520f98d9eabd6260f29db37542e883cfc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs.js

Filesize
15KB

MD5
3813707756a537ad46a2d94a71e74353

SHA1
c3aec9b5d0cf16442e565a3518139eaf6655aad5

SHA256
c33248a3cc52cbaeeb1464ac04e8ff9febb82ad011591c6433082eb47917a903

SHA512
74681f1555dcf372663100b90a49c41261d5f9ade1e28a53e99f25fb58f0250880459ec78f4d895ac3b27ba1030dc3dcacd7fa8af9d4f8a8986fd4fe4606bc58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs.js

Filesize
10KB

MD5
c8112bbce4ebed72459767382e52f9b9

SHA1
4cc4cc6a2487ead8550c501f526fcd5d1a615706

SHA256
fed15a4d2df2a32a01bce85bd6e3b6f58edf03c50d488753aaccdd90054ad312

SHA512
78a386dad3a7bbe08d722fa2a30a6a96a1a3bed1b95b9d9b289304d5f1d205a75d29baefadf7b2fd3a537a881e1a6425ed1eb9d8ca727173e90b8edc65d227a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kvgg58fx.default-release\prefs.js

Filesize
6KB

MD5
c6bf15809f6d57256551d7f824aba929

SHA1
54968b150de5752278f572c0029d3ba46ebecaa2

SHA256
16b8b0a3e32633f2828b2a27409848f923fad3881e8580b962f287bbd7552f6b

SHA512
7746898bfff1b6b196b588e18bf804e0b1bfdb9f24de7a23a4c641e2e5e8b67b7192eee5f592f1ff3032cd868e7cab05701f5f71b49ce78df357cbc01b6e923a

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
902B

MD5
96c00eb2f2a79cae31de4a23cca5f344

SHA1
80ca3aa943c84ef569de7d0222808b8b2b16946d

SHA256
2889731be412544031700e8b4c225fd9b65a05f2af9dae78e8e07549d2661550

SHA512
4f62a69851e3d58daa1889055512fa9f4f88ac9cc6ecd16a45049333935af5e7e565adbae0221c2a89918f63f82461773761a5b0185951ce3f9e75ea344905fb

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
336dacf6383e820c98f88b98d06f22eb

SHA1
bd33ca399c1d83d94e211b21957f2cb0ccfe465d

SHA256
dcdb0ff5897d3bc8308e106b6efb9b0410b49377af9f147b68e1cb25266da161

SHA512
97639fe85a763d0ae014b9b80b750df1d3616e5d3189c715bda57643f331bbddbeedbac13e6ef13834945d87a3b9bcc58602e3b2f71d0fd60044b165e81e73f7

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
5efd390d5f95c8191f5ac33c4db4b143

SHA1
42d81b118815361daa3007f1a40f1576e9a9e0bc

SHA256
6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

SHA512
720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

Download Submit
memory/864-0-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/864-10-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1864-91-0x0000000004A70000-0x0000000004A7B000-memory.dmp

Filesize
44KB

Download
memory/2224-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3800-1185-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3800-137-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4808-12-0x0000000000090000-0x00000000000A7000-memory.dmp

Filesize
92KB

Download