a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 01:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Size

5.8MB
MD5

52599d7a3815f5004c6b3e1fa4826a07
SHA1

4ae4aeb99d18947155a5bc190bc0b6ef2e8d94fa
SHA256

a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285
SHA512

c2e32b5ebb1f2028149d857c2c914ecc29dadd226812c7ecd54df931d89405af25f18977416a59f1b0a76c4eba1f5ee66e1434adf0f99bf46ad33b8d2b20ebdf
SSDEEP

98304:3nNfMJBeiJ9aSN8rP4j18frP3wbzWFimaI7dlos:XOBeiJ9a+ygbzWFimaI7dl3

Score

9^/10

adware persistence spyware stealer upx

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 16 IoCs

resource	yara_rule
behavioral1/memory/1724-5-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-6-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-12-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/files/0x0006000000014bd7-16.dat	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-14-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-13-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-18-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-20-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-25-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-34-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-206-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-219-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-223-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-330-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-340-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1724-348-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 16 IoCs

resource	yara_rule
behavioral1/memory/1724-5-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-6-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-12-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/files/0x0006000000014bd7-16.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-14-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-13-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-18-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-20-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-25-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-34-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-206-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-219-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-223-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-330-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-340-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1724-348-0x0000000000EC0000-0x0000000001488000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001232e-1.dat	UPX
behavioral1/memory/1724-3-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-22-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-26-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-110-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-201-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-220-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-224-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-272-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/1724-341-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001232e-1.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001232e-1.dat	upx
behavioral1/memory/1724-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-22-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-26-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-110-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-201-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-220-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-224-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-272-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1724-341-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe /onboot"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Low Rights	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "115"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Token: SeRestorePrivilege	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
Token: SeDebugPrivilege	1048	firefox.exe
Token: SeDebugPrivilege	1048	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1048	firefox.exe
1048	firefox.exe
1048	firefox.exe
1048	firefox.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1048	firefox.exe
1048	firefox.exe
1048	firefox.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 852	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	29
PID 1724 wrote to memory of 2464	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	31
PID 1724 wrote to memory of 2464	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	31
PID 1724 wrote to memory of 2464	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	31
PID 1724 wrote to memory of 2464	1724	a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe	31
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 2464 wrote to memory of 1048	2464	firefox.exe	32
PID 1048 wrote to memory of 2932	1048	firefox.exe	33
PID 1048 wrote to memory of 2932	1048	firefox.exe	33
PID 1048 wrote to memory of 2932	1048	firefox.exe	33
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34
PID 1048 wrote to memory of 804	1048	firefox.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe
"C:\Users\Admin\AppData\Local\Temp\a8c775dfa983bfab9797ada9b5d868e9a16ac50170603028549fd83c2e361285.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  PID:852
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.0.475135784\1651859342" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {726b9a7e-eebd-4ccd-8578-b5c86a7e1dc1} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1312 104c0e58 gpu
      4⤵
      PID:2932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.1.1742034211\1959907161" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {826ed298-1039-4461-8ba3-8f980648834b} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1512 e72858 socket
      4⤵
      PID:804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.2.1062702534\454427473" -childID 1 -isForBrowser -prefsHandle 1824 -prefMapHandle 1836 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63a66828-1ac2-4041-a575-9ab6ac4a90a0} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1984 e2ea58 tab
      4⤵
      PID:2040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.3.754715956\1588799909" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2648 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67ef6ed8-c8a1-45e7-928b-78fbf209e4f3} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 2696 1bfa1f58 tab
      4⤵
      PID:608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.4.284202050\1195668713" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3676 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {466fca7b-dd56-4ad4-94f9-02529f32bce4} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 3684 1b4bde58 tab
      4⤵
      PID:772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.5.387655408\768460711" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3808 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcb28fdd-b076-4efe-a6ad-3e46d438bdce} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 3788 20ca4858 tab
      4⤵
      PID:1208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.6.1897436156\602165598" -childID 5 -isForBrowser -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbf0f47d-b03f-437e-ac42-342369a149d8} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 3868 20ca7b58 tab
      4⤵
      PID:2592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1048.7.1489328066\1797355043" -childID 6 -isForBrowser -prefsHandle 2276 -prefMapHandle 2000 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f8a3030-1b74-42e2-bc36-aa5046af536b} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" 1984 213d6458 tab
      4⤵
      PID:956
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  PID:2432
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  PID:788
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
ede1d2507672303af40d97448215c38d

SHA1
9df76d41d8427a6f0067c3170dc0b171a9e16745

SHA256
fa58bd4f63345fe3b06f41d2d5bd61d936a0e72ee101862382754416d42e5e8c

SHA512
4582661bfe5b4a4891e7e88558dbe37e89cb024e951fdd02be2d579ec5b859ca0a6157b2e3569d515438ffdc5da5cad9a04e232a3c9dacc861cee0a037643233

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\b8a49e4f-2614-4035-9970-d79ffafb9f89

Filesize
733B

MD5
81cd8978ed2614081edcca292d71f096

SHA1
6543c0cf68aa078340db015266d42a717811e965

SHA256
5e39dae8ef57d2f21a3846e255835aca4331e556b6b85db5fc252432bda31313

SHA512
4db366b32ac19b8771692cf2d807ffc3f1f98dfe8e6d63e86e1c38b91200cae21829c927495283486897860d9932ac444e0ce84330c8ecdbbe5a87e846649870

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
274637dac06145acc0b31171b6f0303f

SHA1
09edec3fb3a4b7cdcb92c2c268622a16db59bd82

SHA256
459e7988b6012baae7e32b28dbd5e34b62d5ae6f1b67ab37c6047fdad91732c2

SHA512
7cfbedb6bff2691f1852e0e6e6049fb268d9098b3217614569da3b7b782267c2a8caa81597c825f54f8bd7006f596c15e365abed012122e4956bac6cdbc7d72e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs.js

Filesize
6KB

MD5
41f66efff81649f81990aefef908df9d

SHA1
9e4bc4274d74be96eee28d0ddd0c0512f8f442a3

SHA256
a6d52ae38b081042c2d82f0eb62881cfb4c04f2d5e1be45cee792c4231e7e2d4

SHA512
e27f873a2a16d93793527de4afbb9858e2cdebddfacac9e67d3d204395ce14dca39138c41dbac4744b91d6ddfe999229409c1c9e099cbc47a0e625f03d4cc43c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs.js

Filesize
6KB

MD5
a2dac77b069b00418d661ad0b5b3b00c

SHA1
1fd34659d063db28125f015ef5e02ba8bdcbb9f3

SHA256
959d8328b6aa4e556a730ad93abb8bc07091681a2377bb50d58aaaf9316d54f1

SHA512
b6ea5b61a797eae17e070c1c4c07eb43e6e9e7bc24d4106f480088f5a060c080c8f75e609468c6767d96651f560779feff5570825de5145bce739cae8de9fef2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
033352410057acfd06068401e684d956

SHA1
aa278464d96230160fe9c49a0bf8c691269dd1b8

SHA256
89ee346ffec99bad0938307403f1dbdc5d0f184a4ba0de35f520a16f0fda3bb4

SHA512
0d45126f07e0665606161142eb8e041de30dfd7dbb2fbe60454415273ca3f5c97ebdabc0133ceb57fb5c877cb76cc07a4d26433505e006b1422bb98c9ac915ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
5e408510e49e400798db0c3d8d9d24b9

SHA1
bdf1af36f1d03934209eac72ca486cf4c9810b45

SHA256
81d5663f7cdc1caed0e23fb10c3798a9791c0bdac67b6ca96d321cdfe71c9532

SHA512
20a1f7b4d4eb3117f0fae575a6d91bd37207c81fc831ee1baa54c752a3a1b547284ab198126eee37f0687dde2aae81085a555e0101074f391665317a61903357

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
2c0aa35c9b0b4a15a1bfb3d62878358b

SHA1
0c6be1c72ba5d3a1330978edd19d0a750928a6ea

SHA256
d71120a02270e39772ada74a568232437a0ce017c8e376e9b0805133cbc2f8f8

SHA512
03ed0a06ea1028366ddac8d25365d6360753a76d2ca8e8ed7a607050162a1bdaaa9556f36e50d5e9ae948002d626c6968f2c235d89e86797a8750bf4c020c796

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
8f38d65ad66f37106facd70b82d1df87

SHA1
f971b31f659438db44266942ab3f57f4b5c76af5

SHA256
e2f9424222a52af94de6ab603e96ffd669805bcc6dfafedb6a39201ac971df58

SHA512
491f31e491bcfb0d3fdd26c83cb44851a0f0e1291ac75271f2e13acf4b12dfd81158be5e8f061f60d41019e335a0e72bc51908fec7454bdf02b8c050756c1782

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\278D90C6BC.tmp

Filesize
5.7MB

MD5
c63282dcd9262fe365d0047b60bede8c

SHA1
8c3db4811962cc0b88a00ff07cc3f87a3e81d390

SHA256
4844e0e0de7ef5b004bc051d9a3a59b3ccb1e05abadb8e35a43314a1d5ce1d27

SHA512
10e05559633d26f52b1d9481321b6585c93578fbffa0bbad426791f8148edbd67d02b2f166c74154192c7b11b426f00c7ee7b372ef5578512b81e4fb4737fff3

Download Submit
memory/1724-25-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-20-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-139-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/1724-34-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-201-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-204-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/1724-206-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-210-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/1724-27-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/1724-26-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-219-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-220-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-223-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-224-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-22-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-110-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-18-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-19-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/1724-272-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-13-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-14-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-12-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-6-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-5-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-330-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-331-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/1724-340-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download
memory/1724-341-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1724-348-0x0000000000EC0000-0x0000000001488000-memory.dmp

Filesize
5.8MB

Download