005edd872f31267ede642c1cbc36eaaa1e82e4db1fa3c6d93ec2da4f05a683cd

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FirefoxSetup130.0.msi
Size

63.5MB
MD5

6c2ed006c62462e30f868b2677e18bc6
SHA1

18905ef1b2f86a033400f670157f5e3a4b25e1e4
SHA256

005edd872f31267ede642c1cbc36eaaa1e82e4db1fa3c6d93ec2da4f05a683cd
SHA512

1161322676a2b894c2bbbe8dd4e404a5330aff0cd3b49c94987ba1988f48f103cb2bfcdcea65198d8b32958959439ab311fa345b8dee08656e119d1ed30852b2
SSDEEP

1572864:iVfaIWjNUTa/J80gRGVuwuqcsL0jqE5sbDZB6P1ueYA04gzxBm/a:gaIIolouwuqcsnE5mHev04gMa

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1784-33-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1784-577-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	824	msiexec.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_ED7ECDCC0DF46318C6D4F8EDE379061F	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_ED7ECDCC0DF46318C6D4F8EDE379061F	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\wmfclearkey.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	maintenanceservice_installer.exe
File created	C:\Program Files\Mozilla Firefox\install.log	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsoE36.tmp	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140_1.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	setup.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	setup.exe
File created	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	setup.exe
File created	C:\Program Files\Mozilla Firefox\application.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\	setup.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	setup.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	setup.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\	setup.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1294A4C5-9977-480F-9497-C0EA1E630130}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC33.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f4b0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f4b0.msi	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
1784	MSIFC33.tmp
1724	setup.exe
856	maintenanceservice_installer.exe
1960	maintenanceservice_tmp.exe
4340	default-browser-agent.exe
3376	firefox.exe
4524	firefox.exe
392	firefox.exe
1300	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
4496	regsvr32.exe
4496	regsvr32.exe
1724	setup.exe
1724	setup.exe
856	maintenanceservice_installer.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
4340	default-browser-agent.exe
4340	default-browser-agent.exe
4340	default-browser-agent.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
392	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe
1300	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
824	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIFC33.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maintenanceservice_installer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000096fabf83e47a2dea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000096fabf830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090096fabf83000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d96fabf83000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000096fabf8300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\Launcher	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe\|Progress = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Installer\308046B0AF4A39CB	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher = "51620655597"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe\|Theme = "1"	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe\|Theme = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\DllPrefetchExperiment\C:\Program Files\Mozilla Firefox\firefox.exe = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize	firefox.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\Launcher	firefox.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Browser = "51515559300"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\DllPrefetchExperiment\C:\Program Files\Mozilla Firefox\firefox.exe = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Image = "1724922305"	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Colors	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe\|Progress = "0"	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\Launcher	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\Default Browser Agent	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Default Browser Agent\C:\Program Files\Mozilla Firefox\|Installed = "1"	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher = "51511552796"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\ = "Firefox PDF Document"	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Browser = "51623364742"	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Mozilla	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Installer	setup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\EditFlags = "2"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Installer\308046B0AF4A39CB\DidRegisterDefaultBrowserAgent = "1"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Colors	firefox.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Installer\308046B0AF4A39CB\WasPinnedToTaskbar = "1"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Mozilla\Firefox\Launcher\C:\Program Files\Mozilla Firefox\firefox.exe\|Blocklist = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\blocklist-AC3F455D0E724E7A"	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment	firefox.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Mozilla\Firefox\Launcher	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CFBAB5F5-47E1-41BF-A008-BFAE4433A5E6}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXPDF-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{CFBAB5F5-47E1-41BF-A008-BFAE4433A5E6}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\DisplayName = "Mozilla Firefox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CFBAB5F5-47E1-41BF-A008-BFAE4433A5E6}\AppID = "{CFBAB5F5-47E1-41BF-A008-BFAE4433A5E6}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ = "ISimpleDOMDocument"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "ISimpleDOMNode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\ = "open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\ = "Firefox PDF Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\ = "Firefox URL"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXURL-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\URL Protocol	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\ = "Firefox HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\IconUri = "C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\VisualElements_70.png"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\FriendlyTypeName = "Firefox URL"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\FriendlyTypeName = "Firefox HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB\CustomActivator = "{CFBAB5F5-47E1-41BF-A008-BFAE4433A5E6}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\DefaultIcon\ = "C:\\Program Files\\Mozilla Firefox\\firefox.exe,5"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CFBAB5F5-47E1-41BF-A008-BFAE4433A5E6}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\firefox.exe\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
916	msiexec.exe
916	msiexec.exe
1960	maintenanceservice_tmp.exe
1960	maintenanceservice_tmp.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	824	msiexec.exe
Token: SeSecurityPrivilege	916	msiexec.exe
Token: SeCreateTokenPrivilege	824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	824	msiexec.exe
Token: SeLockMemoryPrivilege	824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	824	msiexec.exe
Token: SeMachineAccountPrivilege	824	msiexec.exe
Token: SeTcbPrivilege	824	msiexec.exe
Token: SeSecurityPrivilege	824	msiexec.exe
Token: SeTakeOwnershipPrivilege	824	msiexec.exe
Token: SeLoadDriverPrivilege	824	msiexec.exe
Token: SeSystemProfilePrivilege	824	msiexec.exe
Token: SeSystemtimePrivilege	824	msiexec.exe
Token: SeProfSingleProcessPrivilege	824	msiexec.exe
Token: SeIncBasePriorityPrivilege	824	msiexec.exe
Token: SeCreatePagefilePrivilege	824	msiexec.exe
Token: SeCreatePermanentPrivilege	824	msiexec.exe
Token: SeBackupPrivilege	824	msiexec.exe
Token: SeRestorePrivilege	824	msiexec.exe
Token: SeShutdownPrivilege	824	msiexec.exe
Token: SeDebugPrivilege	824	msiexec.exe
Token: SeAuditPrivilege	824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	824	msiexec.exe
Token: SeChangeNotifyPrivilege	824	msiexec.exe
Token: SeRemoteShutdownPrivilege	824	msiexec.exe
Token: SeUndockPrivilege	824	msiexec.exe
Token: SeSyncAgentPrivilege	824	msiexec.exe
Token: SeEnableDelegationPrivilege	824	msiexec.exe
Token: SeManageVolumePrivilege	824	msiexec.exe
Token: SeImpersonatePrivilege	824	msiexec.exe
Token: SeCreateGlobalPrivilege	824	msiexec.exe
Token: SeBackupPrivilege	4252	vssvc.exe
Token: SeRestorePrivilege	4252	vssvc.exe
Token: SeAuditPrivilege	4252	vssvc.exe
Token: SeBackupPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeBackupPrivilege	832	srtasks.exe
Token: SeRestorePrivilege	832	srtasks.exe
Token: SeSecurityPrivilege	832	srtasks.exe
Token: SeTakeOwnershipPrivilege	832	srtasks.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeBackupPrivilege	832	srtasks.exe
Token: SeRestorePrivilege	832	srtasks.exe
Token: SeSecurityPrivilege	832	srtasks.exe
Token: SeTakeOwnershipPrivilege	832	srtasks.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
824	msiexec.exe
824	msiexec.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 832	916	msiexec.exe	99
PID 916 wrote to memory of 832	916	msiexec.exe	99
PID 916 wrote to memory of 1784	916	msiexec.exe	101
PID 916 wrote to memory of 1784	916	msiexec.exe	101
PID 916 wrote to memory of 1784	916	msiexec.exe	101
PID 1784 wrote to memory of 1724	1784	MSIFC33.tmp	102
PID 1784 wrote to memory of 1724	1784	MSIFC33.tmp	102
PID 1784 wrote to memory of 1724	1784	MSIFC33.tmp	102
PID 1724 wrote to memory of 4496	1724	setup.exe	104
PID 1724 wrote to memory of 4496	1724	setup.exe	104
PID 1724 wrote to memory of 856	1724	setup.exe	105
PID 1724 wrote to memory of 856	1724	setup.exe	105
PID 1724 wrote to memory of 856	1724	setup.exe	105
PID 856 wrote to memory of 1960	856	maintenanceservice_installer.exe	106
PID 856 wrote to memory of 1960	856	maintenanceservice_installer.exe	106
PID 1724 wrote to memory of 4340	1724	setup.exe	108
PID 1724 wrote to memory of 4340	1724	setup.exe	108
PID 4340 wrote to memory of 3376	4340	default-browser-agent.exe	109
PID 4340 wrote to memory of 3376	4340	default-browser-agent.exe	109
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 3376 wrote to memory of 4524	3376	firefox.exe	110
PID 1724 wrote to memory of 392	1724	setup.exe	112
PID 1724 wrote to memory of 392	1724	setup.exe	112
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113
PID 392 wrote to memory of 1300	392	firefox.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\FirefoxSetup130.0.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\Installer\MSIFC33.tmp
  "C:\Windows\Installer\MSIFC33.tmp" /S /TaskbarShortcut=true /DesktopShortcut=true /StartMenuShortcut=true /PrivateBrowsingShortcut=true /MaintenanceService=true /RemoveDistributionDir=true /PreventRebootRequired=false /OptionalExtensions=true /RegisterDefaultAgent=true /LaunchedFromMSI
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\setup.exe
    .\setup.exe /S /TaskbarShortcut=true /DesktopShortcut=true /StartMenuShortcut=true /PrivateBrowsingShortcut=true /MaintenanceService=true /RemoveDistributionDir=true /PreventRebootRequired=false /OptionalExtensions=true /RegisterDefaultAgent=true /LaunchedFromMSI
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4496
  - - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
      "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
  - - C:\Program Files\Mozilla Firefox\default-browser-agent.exe
      "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:3376
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent register-task 308046B0AF4A39CB
        6⤵
        Checks whether UAC is enabled
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies data under HKEY_USERS
        
        PID:4524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask install
        5⤵
        Checks whether UAC is enabled
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies data under HKEY_USERS
        
        PID:1300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f4b1.rbs

Filesize
925B

MD5
05d0cab4589ad870c8ad09d2977de97a

SHA1
45c95defcc534df7640445825cb41ba9eda68783

SHA256
58f5735bc5fa3a2bc46576a116dc572ed56025d573ee0e074a50fe6c39f7596a

SHA512
05fa1f03fdb47f57a3e5eb850d54161770684089a3fbcc69ce3673e6c23752e2dd41ec16ea5aab1fa2d3ec8d6cb49d947be739d08ea76e0a437444761f8fc486

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png

Filesize
15KB

MD5
e9068cd977693bdab242de4280dda725

SHA1
35a5c8aee11597ec7cc6adaf15e8673b713d73a9

SHA256
1701ff395543f3ad6b25584fa7014073f74949baca0dd2552216f58131328fef

SHA512
29ebff0f99c9a8f47b8f145ee8d88877b17ae0e3eeed1bc017caa20c68a63166831f5feda768189e837d2390cc80790e3e69aa7ec26bf92da2e90b66e1be3362

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png

Filesize
5KB

MD5
c9ae03c43b67a4e4986518fe3fe29756

SHA1
07221e0401f306487504ae9b3c46ef1cb5dec843

SHA256
adf41380b5ed3f73b8e5fb51f7f33b722f4db4600791cdf92033267c9971c4d5

SHA512
0ace7c3cdc18eb1e67971a5acd0a54e1c00d37ac556f8183dccede984cb6520660c9b27064a8ef5f7b706fdabd70e5e424b7b7271ff751bffd997cf2284f9fe7

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png

Filesize
22KB

MD5
8e058139e0576b4ad8d424bb21071063

SHA1
f584d2412c935aa8a7cf73ecdfaaa6a3cf87c064

SHA256
e86ee493e89f5dfce2ce8817ac5d1c04d8ba2b07a06ff0f967c0167562510df7

SHA512
9ce457aa516fb2d3cb7b4a08f2dd81573de301fefc6ddc877142a35851151407367605f00862fb77067d0969ba745bc6bc612a4440aa3017e508e572ec88f2fc

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png

Filesize
8KB

MD5
1a340e565e697e63b5a4ce51f7297119

SHA1
cdb4ca85700ed81db13b15d4bd5b77d41bb20d34

SHA256
c4bb210e61cd35f9a0a54fb941ea2e3bf6abde799bea1c78d24c761c9a3bc429

SHA512
92478fe26f9ea7454206a3106632534c5608d6940588f01fecfd799de636f11b003ffd1e5c762201f9a14f4ebb7fa6a711d99312b03914de817246a6008c7b35

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
102KB

MD5
1a6f1c137b07acbf947e9ce84a01dd57

SHA1
f0fca57d8e27f12fc0cadda94ebf36c465572af0

SHA256
f9444e7a18fec5afba56bf03b1a4a3696d28f7703671b91a28b818bc57a1c284

SHA512
21d96ce63ed5737ea048d3319c81d385fe7f655e767cc82b59f241bacd54f703337cd69a338221928520a79a59a355bfcb6afccbcedce40ed2a72484d148016e

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
67KB

MD5
dac8060ac5d8d1edab9176dcdb2c371c

SHA1
bf994d27141d85e746ac880830e708beba2bf763

SHA256
6318129a7b3db661b64d2aa5ab1e5cfa5221a6ffb221469d53a0bb638ba8a729

SHA512
b88f7a4129fde28dd98b03b42640eded3d854cc0e6577eda268bc0ce5a6fe6323e630253d8d339e8eb0e8ba09460f6322ad092f0d225f1d1919e2d5b4ef1e740

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
167KB

MD5
a586708e13318846139d33b691a31e6b

SHA1
e18235e27dd76242c2bf2cac4038dec0bb8d5a3c

SHA256
850bb07c4439b61abb382856fbcf36533155fa81bac07231cdc04fdbeeee1964

SHA512
fdcec983054cb7ed8ecf670abe8e9236b7719af4e80ce7f7a10045ca07ae84c1cf585172e71840c27fdcc68d09d81b6c83ec4c0b3843dc3565af2e85150975ed

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
10KB

MD5
2d3f9fb8813147797826025e2401f9e5

SHA1
8014de534d87132d3cf3590c227a536ce78e4c79

SHA256
fc102c4cb4c02bc6f8976d28ca2137c7189e09195ff81cb7eb097bc907dce154

SHA512
914d1f14da329ee50e9f20766b43f84d025f8caf2a269c21dcd45b52f8f105121d2cc98790d1dbd4c3cca5a628618afdba60ec898f3fc7a9cff0ac0fea3d5a07

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\[email protected]

Filesize
433KB

MD5
3b9c829c1b7a3f55be6e8881a5140565

SHA1
78243c04002305d4749b0b789acf0dc0be7686c7

SHA256
bbddd9a035ae1a420dfe95a83fa8ed4c1f3e9e4a31511c05d38ef1aefc6b5f66

SHA512
66d934de2b381f9bc884803c1dff8678b903d19e1f2a7aa06d243acaa050ad25dd67761bb7587d71e9a940b2ae4908b53f001daed7094b74f2829cd0efe2e1be

Download Submit
C:\Program Files\Mozilla Firefox\browser\omni.ja

Filesize
43.5MB

MD5
8183aabcf98f734e043d50fea5f76817

SHA1
477a0911f68c776a95e96ccc0f71784b527e70f3

SHA256
5c1228a5a0abc5cd8edb3c55ed9cfc093c68238a9780ebaa61e34bc9ccc531fc

SHA512
05652c71fc381b6f2ac6e067e3c1cd0f2bf8edcbaf38110761313d33d500d6ce3280e07c86bd74a26f800a486965a266b59f7a3c5e2bd7cd7fce2cd59f88fdee

Download Submit
C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf

Filesize
1.4MB

MD5
aac75d901445bc0419d56e56dbc18891

SHA1
3ada434f3a727167ce6dce3b865fa6bfb70ed86f

SHA256
6d90152ee0d29e82fe2a87793af5aa4b7ad13e6538360889e141e81ed299ee8e

SHA512
83fd92ff444ab6de18d48997247f49845abb8420a07b74ebc8a65bda8da69d28f87b6abe0f607b2fd7da398dc0f8cbe7fbf655af6d25785ad8b2f1a3afca136a

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig

Filesize
1KB

MD5
47012c20ad3223fd73382b0f4a38e4fd

SHA1
727e2bd85608c61df334bff34be720fb5674c4fd

SHA256
8a923e819638bdbe344262c0d0ce1fb4b7013ffbc380001183c13ba1c656717f

SHA512
7e3115de762617bd6438e71d79ae2bfe33ffc5a271869423a0b386d78627b124d7a1a1d6caf2c36396a2fe20c8b801f336fe7c6ee196ce73a8b38d8032b25815

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json

Filesize
229B

MD5
cffdadfaeeaaf0a5a78e7f9a299aa7f1

SHA1
7a8f06d7c91877484301ce8474dfbb1bde08a040

SHA256
ef47e83036753b53f59d079fef62bfedc749abdbcdb0fe16f448d9920f11114c

SHA512
5a11e448389326ddbd3be792d9a10ae746c66e4a41f9c96f4979ec71fde385fc4deb205a40f1b4f24415abd9d41c453ca1285f4b813005b1d12a2701f214db85

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini

Filesize
222B

MD5
4b8dc92a079f224935392f9b5a2dc051

SHA1
1027fc1b3e2e8ae78c60bfb25c5c9f87f9b3cae2

SHA256
79d1631316cd79bc5127f745aa6707b4445f7d0432b685ef2c3ec3cf3a62ecba

SHA512
ad0186cfc9df574e4a3c7c209b5dc3078fb86f6b1de0008bdede6768ec08d61b20f371d7b2d01dc50aa7d094b150db816358f03fa0d9135ce26d80d8886a1704

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
914B

MD5
a12c8c27a65648677f4bbc17ca8aac76

SHA1
1c4214456050b9682b716222d64660ece2433f01

SHA256
c22e6b3b6646e0d79e69840db3a8b88d8d36d510ff93e26a8f93e8830aae1a06

SHA512
72864d40c9c67ddbb3e423cc8e5437893cf3513c59e671ec4f0e977d2bbdf5bcad85f482bdbc02e0d452fe96778e39cdb1d83f6356c412526cb5401138967671

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
1012B

MD5
dc6329ef36938fb846f3556a2a1006db

SHA1
f27398b2cd8e1beaf91d9bd9e244e2af7c7e16a7

SHA256
ae1c1e6f5bc011d5e672353adeda4d3a8bfae7f47e5e950ecb52ee7bd65054b5

SHA512
cf323776dcde60dce6256c5b6a804a467beadf84b23a593b6803afe2bcf9d2754648bc8122989c0887de11d4a03dafad6b3b2157911607cdcd67a02c0d92621b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA

Filesize
471B

MD5
814bc501240e704364010002c6b6a2df

SHA1
e2d3ad8f9a7dc1fe9361ec029d230d56bb1a201b

SHA256
298e1f8a4df2054394063001b7b7a0b28b3287f92da3a41128305028d70f3c30

SHA512
a09ee3c1ccbb195329fcc3332411a346832787466ec7fc8da8a0a0a5141f682dad510f73eae042b431dc7a831a46ff6f7241fea303c262eec49f414304e20385

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
20069500756a1a645a477c9e9d57e4d0

SHA1
7d5d14a9feec763954a936318f1d9890b728622a

SHA256
0b9c59cbdac33da5e2b39a0be1bf9d5861e0188c0442cf300fcdc70cbf9a3cb7

SHA512
29ee4033c4552dde83f70d5038593efb9eb5f1afd19edbf003d3996f0615552189f9f9d08ad36628a0da1e82a10efc82233f543a0bc4d622923632228854f91a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_5F3BC5C5F7FAA52EBA878B0B3A4A5C86

Filesize
727B

MD5
2635bc18a7379bb702985be21f12e078

SHA1
b17157934f762716ff74bde1a83daa4bcd925599

SHA256
5371f568c126f48dc48abaf63d3d48c67a6a473e14a97e3ad3d524b0f4eebf94

SHA512
6472eb56d6c9d55c1fecf8eef8760731552984a03c418f20db25f7b8a1f65d2ecd8ebef84fff8e37ce6a96f8d6a76625257e1d724e9478c7098820818c60842b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
774d3aa92b12172225257ea4c5c95eee

SHA1
770939ee446f51845370afd2b75193746dca5e73

SHA256
f812308abd1eba4984edcb716a18d0cbb0ffc82403a2724e9b449137f5228977

SHA512
1e3b7622839dc8e0f309aaa190e56db237a86600e758f995817b716921879176e64ec9253e3bf154631d5fb7f49d84db22b5ea675b37d2cb645d83468335f62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA

Filesize
400B

MD5
10fecdc39c487f16de4c01186c7f5abf

SHA1
7a81351d72c1aaa62ab0ecf9f40b2aeec91010de

SHA256
7656a9290763e3dde3d329015d985b66ab98b3f04a42490373a145c15eb18abc

SHA512
dc6b73fdef5907a2ad31bd78197065acfb536284f812539626cae514401c3bf7804d7b929010a92f5fd44bbb1ad8e822efe5ca6ddc5b7fac5c517828cfc2e5f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
1ede1da958107cb8a17eaedb836505db

SHA1
1eb134078a7ace8664c2ac30b0e0ef0de8eae29f

SHA256
c2b5b0327b74016e9c29f938fe1f7a4376d73f9b535caeee35912bd9cff57f5f

SHA512
55e2f1633efebe2db3929583c99d9399d380556f626c1f98f29d9251e8b55211b3ebcea28f0a5459225e7b88a3a60fa6182a42add1159f4236ac0601f6a94634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_5F3BC5C5F7FAA52EBA878B0B3A4A5C86

Filesize
408B

MD5
edf6a574aeeb15c7064a636e38c7fe57

SHA1
5adee4775448e153cbfabd90969bbd3a649d5c84

SHA256
0fb943b7884dbcf84ada7886878a835da3ac4fc8f83b537fdf62d9dd4363d09b

SHA512
42073374ec7f975e6003c0c3d3dec43090662a245924950ad76f42e6d232726350848b624698fdfeeb4c3fc088555a6655685260de706bc0d325f016ee8ac9b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
69d126a9862b3d2d0985f207f541d62c

SHA1
6e58f73ba9f8a669f7d188b6a55792c1d2611bd8

SHA256
0ebf8c82561337393f7d50b2f8c08e6aea7154098323173a20fce1b67ca0631d

SHA512
3f91dab6977fc5adcef8c390fae099614e5b6a19aac196e03deae6073f8147137853964065d8878b9fd5935c1936824dc37a66437d3f57ffc82a811772a80279

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\AccessibleMarshal.dll

Filesize
31KB

MD5
491a616c87d3eeafab593e0c1503133b

SHA1
42b6b45416b20ec1f7df2eca15b82d225191fcea

SHA256
39ac24a70d7b24b58d89991c62d2d0f58f937a7fc8ce1b6f1aaf4b878df419fe

SHA512
bb7d88640fe7685d27265329b04ae43301a52a80a5858d6a0469e5c2120d39e44fa23d6b6a8cec08e6d2c23282987fa694aa2738d6c19a28fe81ba6ef522ce0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\application.ini

Filesize
891B

MD5
587ae75b6c924e2bfc2e43459d7bc583

SHA1
4dd11b6fc5d182027041463d820f47b60db974fe

SHA256
661970f07e4fdaec1e52204f97b6254e21bbdb69c634d11e4ad767e7d3ff9c03

SHA512
37325b71c094a299e0b75880b294f53203786bce314948254b53be1f17634752a759553f4e57aa375873f721f1139215b23f75040a82c413078da8d8e7272402

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\crashreporter.exe

Filesize
1.8MB

MD5
09612bd31577c1e46fb79c0ffb55dd63

SHA1
37c93f025b7ae45e810985afb575a61f28aab19d

SHA256
3b9c0f431c082a5c9e5bbeced28764064edc05f37c5e1a1f7debef61685d6074

SHA512
ddd3163016ede88157bfded521d5e39b9ed8ddf8f7e83cff907a0f655f4a8388d3c5f822fae148097f88b69242b66f7239d4e35ede8754b6d3d1a7dc82acb509

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\default-browser-agent.exe

Filesize
33KB

MD5
44072591a54faff998c446212956a13a

SHA1
d52a1b9959af855518b38c0f1879dfbbfbf0f5a6

SHA256
b719889e85c6ed93d8b97ebfee8519317f582f99d2707fd50a57909a3cd30b95

SHA512
e91d9b5f0cce193ebc97c123ec66f65618af0b16318883d31b24c472e01df06db41303a345714814dff33e99f3d943d2d3934a5c2f370dcdcf0c2b6f634e2167

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\dependentlibs.list

Filesize
104B

MD5
57d13a567577c4d8b06e1ea3b0ae19ee

SHA1
4045ebf04c9a3c267ff0438afaf1f9981d9d5b2f

SHA256
27e5c0a4bb0d4a744adb926c5d9744b16e8b1b4b4568cc0b120c183a226968cb

SHA512
0661f601365ab0394b928155bd773e208587098ee5d8c9e9aaf4c86e2aaf03e3bc1d8487bc8b7be2d9627885998912aaf60de3630d672ba5d886842bac83871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\firefox.VisualElementsManifest.xml

Filesize
557B

MD5
0aa43576f0420593451b10ab3b7582ec

SHA1
b5f535932053591c7678faa1cd7cc3a7de680d0d

SHA256
3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6

SHA512
6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\firefox.exe

Filesize
656KB

MD5
697cb0b6a1a6752ee8f3b5f67b2729ba

SHA1
1cc3e09776f961a09f2e45af9d6300993e1d45b7

SHA256
5985cefaea5b39674bd38da934da785adc73e9a88f3f3cce3f84e8eb4845160d

SHA512
fc165126bff66219b0dabc009c84cccd55354356f9788f3a0389a22b367f8ec4201dc2ad721269d3630c97689908c8f8b133817e867184d414ae6a2e23765f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\firefox.exe.sig

Filesize
1KB

MD5
7413cb8f1e0c938d8ab8c4275b605f34

SHA1
6517b2633c17723b6f8d8c9f39ad1664b9966de2

SHA256
76a08505e46b270637801e4c721784b8e91e1c017d635edea7aecc6224ca3e77

SHA512
a0edbbddc6f4e49cd888f3244ac860ce74d616cbb7772377509de2d5297b0d4c83d002f580cd99fab48d99e84a4a34e841e985eff05cb84aa882a32dafe2c548

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\freebl3.dll

Filesize
906KB

MD5
428ed32eb7aa116e31a08fd967400831

SHA1
e23e141d694d2399e654619cf2f9d7e08cb72cbf

SHA256
e50948f39778ee549d85733300f68d25a82cd5472c773752c55d52d05a45f615

SHA512
8e98ede4cc38d2ae30973f827248baafcbcc3a90a1d4966990ff9cfc7349a4a7fd88bf78aac09e30760d12cad74c229834a6ab0bceff93411e1d8812ebad17dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\gkcodecs.dll

Filesize
9.0MB

MD5
87e382bcdf468bdf324288d8cf6d9741

SHA1
e46bbe1f16033b733748045f08cb42ef077b7bd8

SHA256
7b8573671394e4f7cf82a57552411730ab7ffa01e180ce3b0d426e0e58df483d

SHA512
277143f6dbd30b1a7f82965d9df30f5f047da3277a5c25d923916d8fa470c7c4d2e5502e02a359284b1d9a550b845eae0a0d873c1df3acf04e5819d47907546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\gmp-clearkey\0.1\clearkey.dll

Filesize
103KB

MD5
69bcb3263457481a174608eaa3aad62a

SHA1
9629d203f329fde69797a059ac95c658b2b65575

SHA256
3597945f77b57f2e35bdb2fbd5756624d1fce5d3d59624e34721dc1b3f033101

SHA512
cca86996dc3f317d5411c37fa6b20189d07c1c8e0f9fbeafb286d9f77efa91901e032a4755e46d9b629f68574b0ce5e1336f26c9868812bbfa53a069b9d48bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\ipcclientcerts.dll

Filesize
209KB

MD5
43e1668da13febdab5572df9b71e3b49

SHA1
2c3bcac884ebb478c80d77503e5b47388915f809

SHA256
57d231b6f512c5c6a4154232cead76c79e2de4ec2cff18e438a75198a6340f2c

SHA512
476c6a392cb1c12ffba139a7b59f2c79f5b43a22b6a30dc83db260b1e03df3412c7f48f3a0468314208c74e01dba34236419aa6f6c876081906eedebf846d3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\lgpllibs.dll

Filesize
154KB

MD5
f8ba057ce66a03d79769313153d52e6d

SHA1
c1b93917a30d515670126be6a34afb676216ed08

SHA256
cd8424cfd293a31dcf14c4e89a318d250b3a2a6de783ff8e74befb9022cd14e5

SHA512
6d013837fd97ee89fd58c0c9878de58a6eab30138d3a22ad650595165b606c46ba46f75945001f5a02fdf8cf32b9b180a20ab40136534a936c63df9a359272a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\libEGL.dll

Filesize
47KB

MD5
e9ea502feda0c1b464c95b01904ad962

SHA1
2f11f0fab34e98ca1f445ae7318f23471d416b73

SHA256
638a44392e8ae20d4d86e169714337b5a47d2f1e715a62ef1511ac0d797a2179

SHA512
8c1e80b8bb24334e6d10cb2d5c2fc8dd958b8f605b3f645496c42384850a1b1350d4d13161ad9a1e0ed6da829af9484b5dc5590251073cee4d86b9ba4a5a2045

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\libGLESv2.dll

Filesize
4.8MB

MD5
a72c51b944a90c411dc3d6a2fa1fa223

SHA1
5c14c315aa977b6267e4fa4c9639b3191f27e2e6

SHA256
970586b30c38132c40f208837b82fb6f53a2faf8f6a00b34fa36487f8c2982c6

SHA512
0768a59f9a0df5b78e47be486b276ebdb9058b6240c7b71e0825e8e5e04715e324c93f08f277c30783e3deaed7bb94097097c30bc86a76d69e9e113f1b1a8d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\maintenanceservice.exe

Filesize
272KB

MD5
4b953ffe6bc1d786fc92189a885a5daa

SHA1
ea307a110fdcdef35568747e8d8752460c7bbe55

SHA256
ade43c4073d69fb606c8460284180deead7735429b11e852b10c2a27e6438013

SHA512
0324b0d5b5fb39e4b29057b6eb77a9a3622915ad4b0046792b78e968cd939fa24d6125236d48ad8c463536b116ce6763bbcca997d3d008b699498f25eda85f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\maintenanceservice_installer.exe

Filesize
184KB

MD5
0f8c1edc2ebc7be608d90bea731ff74d

SHA1
590e16b8746f5f9261da8958797d71f72f9d0132

SHA256
0fb46d59ee22b563dcc0b27aef7162723a355742de63b4d72bb029fd600e9530

SHA512
30ac3143974de03f20a6d38e02a62a3e765237282e0930d569fd16aaf564b756f3aa2df3d5498423ec885490af3e9ec036ef5b7e5105899942ac113eb48ebcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\minidump-analyzer.exe

Filesize
752KB

MD5
86b5fe6363cecbe78cf21dd458c1ec4e

SHA1
e51da00c761a2aa379a33433fa7241032d0985c2

SHA256
8e6d367bdcd82202195889df21a4c28d226502160f2899666e7a7c97f1b71984

SHA512
763f9a75c56ff8b0a63381c58c3e120cae080a2b7b2c866b4cb5e831030962c0c103dda429553aaf1e9eb4d0dd2bd2281dc4d1fd235f7526e960b8f7a2e392ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\mozavcodec.dll

Filesize
3.1MB

MD5
d2590788a08a4041c915568b14702136

SHA1
d47d242425961f589074c133ef0aaecac7b5d87c

SHA256
8d99f23416f1ca2a38db4646d9472a543ef2e9427e49a196711c6356ac96e389

SHA512
d27d7a1e8249fbb35f195072854415eef8bea72430b42cd485f50fbe9ed910c3a9e590102d3bcd3795c595fb6513b79f18c7f60aeca1d219fdbfc6d41e711812

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\mozavutil.dll

Filesize
565KB

MD5
918bd931eb04f48dc5dccc216a9b9c88

SHA1
aba3ea848d4f6fa60fe50029a77902b6b2450721

SHA256
4d63b560b998c46f84cc3300ba6bb86d322918ffbd85e47f1741195167dcc722

SHA512
3bbcd03b336b277a0567c114d5264683b4f2960cec54c378fabbae95285ea517660670883f51f80868ef8b1e1099f87604a32853888764beeb8af24163f4bea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\mozglue.dll

Filesize
1019KB

MD5
dc8f63ad4427412be08047f44a7b17a7

SHA1
53ab862c7165862d82eeb4aa7b4dc4d639fa4c31

SHA256
ecbdea30e9011726507b1f935b7a8d20762608b010b8c5b371825f12bb05f70d

SHA512
f89190bed529a21c1881f2302020b168fdf43a45199c4d4f522eeb7423c0794940d2bf60692aafa4cd4f557b2cec8e046d81404617a90857e27cbe74f5cbcf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\mozwer.dll

Filesize
325KB

MD5
435cd5a648835b99f1cdf8f3449f7665

SHA1
e0472c05d334b609497ddc4518213f4a2838b131

SHA256
e7aa288c047567f286336430f64c2b10a2cd4b6b43843509fb57cababcd48b42

SHA512
fe18be4abc66361ad0101c495507a373b3f2cab7885fe02171427f70bf1b7e371d9a7cff5dac7c5a0fb9e338045045c50dfa35b474f51f10ab2c696a4690c01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\msvcp140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\nmhproxy.exe

Filesize
557KB

MD5
a4716dcd3871bfdc7502d993c5f2e4a4

SHA1
5ef4bf44cfa863b789cc9e35eb2d4a315c71182c

SHA256
c55c08d0182c4ee464e39d437999a3ce6d8ac2abfe406c4703264e7f4fb33a5b

SHA512
83bd2730d98b43b8cc59708813cc78cb3d9e4cadb305ab4e485ac39e721b2223ba2e7f2e0ee25f39e28f5b2506c0e4cf57366b671a42871bc5cda7232f0984f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\notificationserver.dll

Filesize
60KB

MD5
5212050c13f464645ddad6c6dd5c14f0

SHA1
24c8dbe4d9b34916c72a3ad7e16b0eb2a5f5c95b

SHA256
42c92a1a100c6ed94453964ae449f3eeeca20d9be64bb1b2aa869e54e4979367

SHA512
5d1b260a7cf00f5db6cc6795699e6c292faf8e3114e71185b391c42167f70892098947f472af812020fa597528e8abb42abd754b4ffb27d6e29d28c51bb3a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\nss3.dll

Filesize
2.6MB

MD5
91941eda758147c33b9962644673299e

SHA1
81da1ef0dee60b9ab8fc6f9f054ebf8bb3ce8e43

SHA256
b8a4d9e8c7f0a145fdc3acfff86341f01240d11add30099c2161cd7b143b5887

SHA512
857c0cf8b2c0847efb0a06f672ddc532d204b2149a1ec11916b21d5fbbeb9c1c7a97b4a9e606dd1ca4071d4f30d2fe1cdf6d3e92144cdb3900f046c702613e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\nssckbi.dll

Filesize
368KB

MD5
5429cb6c427da85080bb34ae85378c11

SHA1
c6eaefd2ab6d5bd403ab0ef202c6eede1e42e8ea

SHA256
069ae52edd52a78476aa7f8732a1840f27635d9c68cc60653c606fe45a3d8edb

SHA512
d9d3f18739c49ed30010f7d98fbaf07c561d313a2062600034fd9438e2f9ae8e61b0dca1724b37284381f2ad88eb6f8c958793176bbae1fd4dbd74cbd6ada9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\omni.ja

Filesize
34.1MB

MD5
712450bff044aa92148bf9fedaa116b8

SHA1
ae940d3b92a440356dde16bf6d28b4b430077bc4

SHA256
25294b29a0b4552d93cc3e80241dc6e1c24ebb4a6a53bd63372b0f71986c8f0f

SHA512
9eee01a3add6845d4816e2d71b01286985d532485f291503aa56a9072ec3afbca630e943bd84ae5e9e9d70fefd8705f53fe030c07b057eae08cb3b47f106b57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\osclientcerts.dll

Filesize
350KB

MD5
ea5575f1c6a12f27c5dc62d028e11f6f

SHA1
c964327b694820ca5defb4d8d555c83cb1161c97

SHA256
ec7637ad0b15961f7848076df1a3c1d59ba625a14fa376b3e81beb86837bab46

SHA512
10c5abe8cdd52eee71f38792f5c56f0ce4fbafa26a0d2a1729b09d2dd548900f6462507099e30030688991fd9a9722d6854b6040688aed7f4b09ae8e3c8c295b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\pingsender.exe

Filesize
79KB

MD5
0f3ffe0bdb96f2b3ebda54f86001e36a

SHA1
3c5615004b6bbe069372050966b114f2ff0d604e

SHA256
af0cbfdb8a29d8881d1702bc4b92210fe2944f9a7d23278896e7289aeb1c3424

SHA512
a2c86899a72ec30fb05a8f460a088629126140ca41fc6108469ad68ad6101542b64b71266c835189d1896387a641a9ec1f1c678b18b1c95c431aa46885c4ebfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\platform.ini

Filesize
165B

MD5
122c3a6bde158b53187f64064cab1adb

SHA1
bd00be5bc098d8e79d6f8ff668aef2cd7d07448b

SHA256
1a7845086bbab54667d81c83ef1870b086337086b28a85c3ae5da072606694c2

SHA512
754502b49e76bbb3fccd3eb7220c7d1a0d1ea9f9805c850313dc4b1d298859fad0bbc14896f257aada23efeffa0a5106987e377177465f07d4c39a32d2c98f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\plugin-container.exe

Filesize
279KB

MD5
4d6c11a461727c5c6b1971d372ea4995

SHA1
439ffd9aee94ca97302a07892ab0ca2ed82e5ad2

SHA256
9fe47a6b16528796460517f9edc5f367c7cc182326ce3967bcec1665b851a453

SHA512
c50245d5dcce7e07ac247dc4ffa4d69b16847c95bbf940d9096ccc560c47a5fb4cbcb8e77d3e21749b097e41b29761df8e076f62d78722265282ebc2294a5ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\plugin-container.exe.sig

Filesize
1KB

MD5
52ed159ab3ffae0c8a9f4426f766946a

SHA1
402923bab278d87355da5352e1f0297ff3885576

SHA256
0f09afb73abd9fb8db73e1dbab21fffe14b2f275c5eda8fc41cbf6b18b0b8618

SHA512
81d2771b771746d2e6bcf527f6cb02a90ed97cd120852328d3b6ec47bf11de928ad6a182a84b807abce18bdfa2cc7d6961ff69b5f660cfe5e07899523344a803

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\precomplete

Filesize
2KB

MD5
2363f635deeab900de46c9cfd85648a4

SHA1
fd2ab0fe5ba395025b9964422d21634769859f23

SHA256
9754a6f4f6bd15228e53f84c6c47deeff815f07cc8559616d640211bf7244177

SHA512
cbf43d11b3d35c9284ffc9be100fd6a6865919f7e09e6ba87fbc99995f44874477fed3b67c864c7c37668682ff45ca5e7f1b86ff916695e8817b48d4cdc8360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\private_browsing.VisualElementsManifest.xml

Filesize
559B

MD5
b499ede5c9228c742578086591193efe

SHA1
18e682ec73ed8fcea99893142fa8b08ee8a32b72

SHA256
9ea86a18d41112e25b17454044ac29b458f508d9814700a6f4c0f9370678f3ae

SHA512
b99ef0e9152da3bf6adac5fef67b44738ae7a2d1ef0041786a5700b8389acde7380f1bc9bf1402c7a356f1777aca7c2b05af5ee22b7297bc879fe2e6b9741f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\private_browsing.exe

Filesize
64KB

MD5
a9a77b47aab03ea2e70128b8d00cd4fa

SHA1
b21e304c69a54df2d02e6140a90d277d798f4d22

SHA256
1b4617389da91046b992295e560b8b27b2d19a20bdb36a599c357df6086f22dd

SHA512
98165f47cdd7ccab8b638db3bfd1809b60219ac5f999a58da1860ae062a73a37418760b0f977524a6bfefe8b69ace68769531c59fa26e49c114e47829f8ae1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\removed-files

Filesize
16B

MD5
fefbfac37461bd30e05f5befaa1f7705

SHA1
74f9024662db06184e645cab76bfecb0e6897545

SHA256
52523da24287c4d459131c2e4818a713a732765e06e9bbba1cf353888ba34f9f

SHA512
874d6bdef28dea531c858443810d0b026a3a5667e0b9985bce84b7c5ab63d06a015487bd1da2a914d28af7b6568335b1927f9fb9656715947929cd6671ccc4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\softokn3.dll

Filesize
315KB

MD5
aacd47fefccf821b4e666f75fa05853e

SHA1
17f4abac89355128ae976eb40ab58bac617290ee

SHA256
c3b928f2bae96a3b0b938862f40d4e720411c53f73e3d9b9605f632e2bd88573

SHA512
5f6b6c3d822beb993888f4cae8571e2f69f8a04371a5b147820aeb39c5df94c91f207cf5b5bcfa21aa4b5f5b3eca0b8ab97a6af07b83c66addb98abbb95fb5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\uninstall\helper.exe

Filesize
1.2MB

MD5
06f7877240b047f3aa90cb93a93a8ca9

SHA1
443ccf1571334dcafbe7e7d893030745f89a130d

SHA256
8d949cd72afb24182b1fd339fd8035d93fa3365bbc6782e0fd3ee3d194ceddd9

SHA512
2a4b3c3107ff40787b2049745a1ae7653efddc8c301e68be695c6c2df8186cb9b7a27994623c8e5dd0fa0a1d60b2c280691805f494b1a659865d030e6d5d2d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\update-settings.ini

Filesize
132B

MD5
1413131f8cfad1e19d299667bf759087

SHA1
a0435cbf1a2817ec960c56a896d455e78adc226d

SHA256
c18489344fdc21ae366b4d957a0b9f11be772483ca46f9ffab6ed0356f946513

SHA512
590b53aff46903b1883c5fb14492ca85db2c6e0e900d0fdf62c3e6da10f1d10c3aa51224dc6db50f4eb12d42de017892f77e91d79aa16fcaefba10b27748748d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\updater.exe

Filesize
454KB

MD5
50974e771e0799f711707dc7c4a09630

SHA1
af6425fdbea686fa565934ac854f438a3a8abac3

SHA256
859b40ee329d82f068da849e33871f858b90f4ee6e0ced30b513b929437487a9

SHA512
a3d0052b0b6870ecf2c336d523e6959620d85043069a61e819deda1b08cb94d33fcb2ed36f74e71cc74646169db7bbd2f348b6f55c67e9a00c8e88d25138ef20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\updater.ini

Filesize
1KB

MD5
7a6cbd521497f6dd382f7b8c6aaa1eb5

SHA1
a0bccd339f6d045f0aeb4de504398c97c3dc2be0

SHA256
531b55d2224efa181b75ed4ceb84e4f854f26c2382dc411945515d57d8df2243

SHA512
af32b8b1e93c2fc1bb6c7ce0f371c8cedcdcb753393e8cbdf282424935db5f8f04b3468d450edc81ef28d8b4430d8941dacb2d8826d28be9065dc787c53eb553

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\vcruntime140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\wmfclearkey.dll

Filesize
199KB

MD5
6566bb3a1516fc6e1bcf3164d5ac6855

SHA1
e150c4b1e0a0faeac8dda1138cb1477ed193ef27

SHA256
9a2d620d5f8470c95a4eec03209a04aba83b715372adb0f7f9000e15c68c55d0

SHA512
2848ea78ffe046a77e412c276063c0d2ded7893aff153608e5599b5ffb37ce957b03a6c90e53aea17af2801938c031cb2fbc4b436383b93da0b24e02a71e980d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\core\xul.dll.sig

Filesize
1KB

MD5
b6d90c5b231e33bc5727714778b5bb09

SHA1
9c78c1441e519375451a3e66e9122cefb552aa4f

SHA256
1e90d78930186318ec41b6c72db8bcf9a3da353c4bbf8251b19b69efb68e8458

SHA512
b170ce0df81f8e41b32b7569b5cc7b6d909c1652f8779e8fe49102e774ec9433cbdcf3ad0ae72036ea53bc398d882626fde6fb48469301739641e11b43d95248

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F6556B7\setup.exe

Filesize
941KB

MD5
4303c25616fe69ff023f2474c4f637e7

SHA1
bb639f7cf6fe34248ea4ceb587e6496b54860d9e

SHA256
3878818ad29a5bb2ad7a7b769df15e5c0b5a4b79011b36f0801590c90a75b53b

SHA512
8dcd9063a41e6e09f8cb485b719e5e2a73e158ea79e3765e3fcb56129eb0fbaf7b47d6121b6af2f056cb8e8518af67c0d148a28a7c21630f2376501b48239496

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\AccessControl.dll

Filesize
21KB

MD5
eb7a540d0d2e28f6bf524d2cdbe0f478

SHA1
76204991c60913cffeba5595033c4f79e1e89bd8

SHA256
ef4b548b27a6edab3bcb25cff0598918c645795850d62f232909dee851e04c6d

SHA512
947132d07f7875dc99fbe8a87757f6efee0a8c6271f8a3bac6747f9f4f60ed7e203e28a588db8c55ee898ba8f3dcf640f6562c49c45d6c6d8fdbe2d2309b9984

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\AppAssocReg.dll

Filesize
14KB

MD5
012461cad43cc5a871bb2019a461a2e4

SHA1
75617dce95008117b5b1bd602bbbe58dfda4e6d8

SHA256
eeed86addbf5989fe54e862e68e9a287eeaad11b209c26de67ab660b21445e15

SHA512
f1c42d0703e5c4fafae2fab90a7c23499e8b72f9e04ecc10602d1c48ca08781000cda36af86577b3e2380684ca442db54668f390822f3590b6dca6507e80fa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\ApplicationID.dll

Filesize
55KB

MD5
fdc0338e6faeaf6f7c271982e103473b

SHA1
9a41f7932abe8be7e32c6371f085cf14de355d00

SHA256
a9dad9fdaae93d10dc2ee346b231913445e731049554b8bb1506827e46f8a44e

SHA512
a766eef11db4c94b1445d1cd70cf1d3b6141d6b3973562e9fa8d81c79195886b884dbc9b9f6952f8a6e8619534a6bf2d615d539d2cace9c8843dc19415051cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\ServicesHelper.dll

Filesize
14KB

MD5
b9e8c2212ac8dae4b0eaf97c048529fa

SHA1
331d172323480b0518abdb0cc9e256dc7f46c357

SHA256
d6f6758adac2c073bec481e8de762af3a5574789bce3f43de02356afc9911e0f

SHA512
d93aa032e27c8268a4f6883711cf41f7ee2b5d33673a26d78db24456f2c548af39b7b98ed4b4737245c278d524fffb3e4bf708b6815dc866acd371427ff6be96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\ShellLink.dll

Filesize
14KB

MD5
fa94d120efb029b43217c66bbc8c650c

SHA1
1fcf2d76adf69b403b7400681ac91d50ed20385f

SHA256
5f6f414b412c72b10f49eb92af1d368ede531b58fb200d539fd2b45e371612db

SHA512
07ed0771d5bbb651ea7421a5f6b08fa234f9cc041315d9360a7135ba12180064fc99a27725385a8ecd3ceb25bed5c00de169f7dabb3ccf6e987f45254dff8158

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\components.ini

Filesize
44B

MD5
c9b5d86a9a0f014293b24a0922837564

SHA1
3cc73b4a30a1a0bfdc6812bbd17994f53eb5db2a

SHA256
775c85f3552754ad3794b88c0cb6d6fc43d412cd9a87a4b9e847386a5bd0a9c4

SHA512
790f365afbe4c5a37dbb56443d38f0c439eadca002e4001d373d6db8c1d80c4adacf3749e9d210cd0316381682fbbc46616a3fa36581c7ea6f5ce69119944b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\components.ini

Filesize
610B

MD5
d99af869f79f676872a8999b25e9dd22

SHA1
ff35f7cf1414cdacd7cfcaf79e4030a53be578d1

SHA256
9bcc1706834feed083da8e2d4fde24cb873efeac9c7a876c1b297bd3777dc83e

SHA512
65680e09d81515562e3fb81e89e273ce15dc76272cbddb7a1e47105c61f2b226044c05813aa689f6badb1626551c4f46d82398ef46ecb4a54aa52b1f9d2ca621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\extensions.ini

Filesize
246B

MD5
46c521e239d92d4003037bbb3b2938af

SHA1
354712cb1d830db838345d3aee503abf1de5d013

SHA256
353c5908e3f4075d2d828618b39d27fd88edc344f792c732401b9a50a31b2f08

SHA512
d468a20d70a1771635b9d9548e4164c2f84162bf36b180529d15d1d4706be612a9b64683087a8dd0966af5d6fc67116e5f4cfca8648b915b1845760f61158e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\liteFirewallW.dll

Filesize
19KB

MD5
f31ba98a8d87faba153eea134968c854

SHA1
da0865cc1a86a39367f22897e1f9fbf4fb1f804f

SHA256
708fb54cffb6aea3547fc5ac745d1435ecc814df563bef59ba7a94f57d082bbb

SHA512
d991a2dd5ef537b25898afd7b7e73274a3cb8e6f5fca1621af22ee2761b82baf220aecb0c84434566742e2ab00b2f57a3740ce9831e76d4e1829bac3e044c8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\nsExec.dll

Filesize
17KB

MD5
0e584c7120bd474c616013c58d51dc6b

SHA1
0bc980892341b52985d92fb3d8fbb6be77951935

SHA256
7fb626aa05bee1095633a75aeb7895ebd816a98e0aa1581a0154e4c196de5391

SHA512
aa3a471b3f33c3ffdbe1b1e3c1e5d04367bcab3c16049396a8dd12c5a8317e4b153761f74f39b756dd4fb1806aedc4f1bb38bfbc12f16480eed3fd3087a0d157

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\nsJSON.dll

Filesize
33KB

MD5
e832077eaee06f3b2ac9a8d2e7264567

SHA1
decbc329257c9c7fb67d3c449b4c5dfc1f87471f

SHA256
705f4947fb94254c4e5084e6a962045f6a4e790dfc1ecf59cd0fc3feb38bcbbf

SHA512
c1bada98c52ee2318d23c48fe202380eb42c5e1f18226cdc017f264c8c34f548bfe4d9b6eef13caae69ba321a71b199431b249fdec65f8bb1c386810932ccf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\options.ini

Filesize
1KB

MD5
f50ac2442dddb1ec2bd0dd5410fcfbb4

SHA1
13a4a1dbd6cad83aa6e5d9043b6d98e1bf4ec371

SHA256
89b31e3fe0c4390d252a686512bacec6f53e3f4da6d1f12bca2866d4ba37d021

SHA512
697bad94809681055d19fb03f8979c79bb948bd01888392a0fff37b30fc87f965e7f716c0c28de6df6746518a5d5c26006e3a313eecbc6f8bdbed25d39d6f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\shortcuts.ini

Filesize
874B

MD5
71851e095439dfcac9099254c0881673

SHA1
d31c9dfade1d31b937872dd6a8761c4c117ef588

SHA256
97ef03760837f339242d39927e0f9fa046669ed66b9a413b853ea8b6450ebfc4

SHA512
1025ff9cfed7f064670b43b401f80a2a805354cdd0f3a348c3935e15e08d67d9fb05d028b259a66003403425d842d5f10aa88e9bb57563765cecb91e85ab6c18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\8oimdd58.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
cbcdff80b37709f5dc565d308366b2ea

SHA1
9cad7817766beefd6ea69be331c8dbe9f7f0146e

SHA256
7845b22e25e46efb75b19284299db407b4ababd5cf5183f2bf6fe61865fa6a39

SHA512
de3e4ad26a8343e19f6d7b1f109ba3b039062b0e7a5b402329554f18834aecc9832be853c0827d68c5fe1a2371a5f0fe6ae3f047061a32f0116caacc74c50f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\8oimdd58.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
99d15eb98cd6f832521a879ab4ea9a9a

SHA1
5ee12f89a617824d1f39647cba7cfc6ee0109ef4

SHA256
e041ad6fc1c65d7e8f614aecf1c575c943a0676b7549f558220e5c7937952669

SHA512
c7e2040d15656fd2023b420315d35a9d0cd1f7f733b2a0b0bea6db1684487ebff3129d70d0f269e40b3d2625e309faeb485786cdca3c07095f6f448fd908a81d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\8oimdd58.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

Filesize
2KB

MD5
d5608dd90194793d146691e90cac6854

SHA1
4a435b1d73c4bf1883944b2bce7487de7035a74c

SHA256
32f99d426cb78b2efd0ea71304d006724e994687012491f2cd17fc6dcda18728

SHA512
5945e0fd6e8d630916c1cc54290a396cf302a85687b52b5d5d5166943f0ed6d600a5bd46fb6b74a29274926e81ef1c3535c8bee02560a4ed250b3dcade5234ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\8oimdd58.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
9d2f357733765be5054429fedd104e50

SHA1
6dbd9d76ded4156df6a49864e3664c8915a5f44b

SHA256
0c4f42845ea85879752a5d8a251a65a0942078305039956648d623faab807800

SHA512
d55077816bbd7d2ffac12d4d303dba7d870897f08ee16490049078af3e09f44007b0a793ff8ccebcda32eaa19c2864c014c6d80a856cb4d327767a6af3786336

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
f5cf2d8fe20840029ecff5c296cd316a

SHA1
8aeed7501be9e1662c7aaf2d8d74327aa2d59431

SHA256
2da4fd55136f37bcb3517b8f2e42e96eb6a20e3a3b1367194b4b50ed14faefa6

SHA512
df3738a8e794c85f959cad2751b158378f94e327ae53c761c47513a622d577660dc40cdaee1d8cc73818802bd42347f52afd4f23b2f0c037dab2e4c880c9562c

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
902B

MD5
5bbb0d420aac327319a1bbc7439ae017

SHA1
71a1c1ee0a81bf5361778c984f3f13644ee2ecaa

SHA256
2010753a173e4597e0ce2868b5ad912bdc788c3b0bd875bce4af88f7085b7758

SHA512
801932c961c09a3513ad8e51b5b62ac97164d73cdf35629abcd1d28170c606d6fc171538723653895296111724651d29fac10303157eb50eea02a7a2d5cc4299

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
96e3e21a19725a2d493c3d838502abe6

SHA1
2294535203402c159abd4ae2742c09b9191bedce

SHA256
6e6023a80878872e9597b35278563e8b589b2ad9e6410c3ba4361d212c1b078d

SHA512
f87bbfa66571025b0d60195c2e8c8950fd04968f888a186715cb39ad72aff6219cf8557c587128b039be43454b1eb50f112895946800f971e9e067588bf73b93

Download Submit
\??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{852a991c-19ba-4b43-9e1b-bc86ea22e4e5}_OnDiskSnapshotProp

Filesize
6KB

MD5
d05150710afcfb133086b9af17723821

SHA1
6868795730bfd42d54f74ebb9120b128891addd8

SHA256
991401f907dcd290c6eb79dd00ca95f79e3b1af0d1bd1969ccff5b0a0e80d186

SHA512
8c41f0a1e8e7b32bda7936c6b578785161775c30e429f4030907505562a884fd742b137551f3dfd68e40dee48ca7eaf02b0d4caaaf6a4094957a3b18e1df152f

Download Submit
memory/1784-577-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1784-33-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download