Malware Analysis Report

2025-01-18 22:09

Sample ID 240502-sb2p2abd2z
Target ed6dcfe516c20b3c4e309f2529f456a5.exe
SHA256 56070412a6e7209e9119d7402952a04ef8063fb535ed4ce8abed661594077a01
Tags
adware persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

56070412a6e7209e9119d7402952a04ef8063fb535ed4ce8abed661594077a01

Threat Level: Shows suspicious behavior

The file ed6dcfe516c20b3c4e309f2529f456a5.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence spyware stealer upx

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 14:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 14:57

Reported

2024-05-02 15:00

Platform

win7-20240221-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed6dcfe516c20b3c4e309f2529f456a5.exe /onboot" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
File created \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "ed6dcfe516c20b3c4e309f2529f456a5.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "ed6dcfe516c20b3c4e309f2529f456a5.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\ C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "122" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed6dcfe516c20b3c4e309f2529f456a5.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2404 wrote to memory of 2440 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2440 wrote to memory of 2660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe

"C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.0.1007952964\1398314720" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26758a74-2a7b-43fa-bcdb-0c591859928a} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 1292 11fd6e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.1.1330380139\599529773" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {878871dd-bc5f-47b5-8f03-f881a9f10dc8} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 1512 e72b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.2.189795080\1955104375" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a12cd4-c835-47fd-a93c-82312503c364} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 2128 e2e158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.3.1338364365\82289010" -childID 2 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {496e77b4-9661-42b9-874c-af98fcaa5cc1} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 2856 1c570a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.4.576177480\1399556378" -childID 3 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f82b56c4-6cae-4e94-86b0-fce83513a4c6} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 3588 11fd6558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.5.1651757886\1693049775" -childID 4 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c94e0c3-2b99-497e-87c2-ad6c8edef981} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 3788 1fc96c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.6.616935149\1559185713" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42a8ebe8-67b4-4987-b58e-c2ffd57f9079} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 4000 1fc65b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2440.7.1026292677\500810234" -childID 6 -isForBrowser -prefsHandle 4128 -prefMapHandle 4200 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00495238-9b08-4881-a7a0-0e7eeb7c367c} 2440 "\\.\pipe\gecko-crash-server-pipe.2440" 4144 1025ce58 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
N/A 127.0.0.1:49227 tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
N/A 127.0.0.1:49239 tcp
US 44.233.67.78:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 18.239.208.2:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 169.61.27.133:443 registeridm.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2724-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1D26E2\A9598E0AA4.tmp

MD5 9ba3fc63446726a22829827bf31b4756
SHA1 09ebf3bcbe92a518f865f6ee53e8689b10b2c4ce
SHA256 bb0a1d5ae72061d358a95f71b535a1a0fdf1cbc4e996180b85c1efb0b4c2e538
SHA512 3ca0812d23ef112357c4b0686b5c333f04da3740fe4ecb491799aac2946244f5bbca2304d5f0ddd027bd4cf9139395073d78831f6d13d39402c07d696375bf19

memory/2724-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2724-13-0x0000000000B60000-0x0000000001128000-memory.dmp

\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

MD5 a8d7d850626e233cd7517ea44e20cc05
SHA1 555650459d709ff5a61a6437d7a9cba3e82b149b
SHA256 af1c6191c1234a4fd06dd5ddc590b4f0a7258467b796c70dc765f9da7604dda9
SHA512 388bbc5e7f8c3f486eb7bb0022ae62b199be0860d00efefa382511f4f9f23c493a6177e48d3c0d61ddffd93032b72f45970d5622e91955f8c0a492f0cab9ff5f

\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

MD5 7bf4aa062a2897f6abb4e5cef31a65ec
SHA1 34d5973c4967c7d4e053ff06d278c687706f08a7
SHA256 31c6b76c31476a5ba22741b37eba55fca396973702d7bb4a5cc907d1f19c1314
SHA512 773ccf0536d47e6f455cc834a804d9610ac3a3ba2e01523f6b9e592f6c91b3186d49e909c3f27aa895a0a1f9848e41721aa73b56b2a1f30452f8b135f2138496

memory/2724-29-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2724-28-0x0000000000B60000-0x0000000001128000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\data.safe.bin

MD5 47019713e0ec9428811d1516b7c268b2
SHA1 1fd46a4511a2dc140d18c0131f2971292bb51aad
SHA256 5e786c486d3b073b2269c4e433dc9c3132d4af8863bb80330e78b9e76ef8e598
SHA512 2fa6c3281151337c0b56d9b4f46953889f0b215a616575d198f737ca18c3071762e931afd4a9f7b5787815081a8d40b96317a2b23c53ed84c916eb70da7c0d55

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\data.safe.bin

MD5 7426895580fd75e60d26556c17ab641b
SHA1 856b022a95bc88fa452005ad282910a20a1c83d3
SHA256 428588f66414fad526b581535ffa2f27b071115b288686d07013c854fedb087b
SHA512 092a80a9a6a2b9c8deb05a60a768981ebfbb0336821025509ed572888b85e8d395a5aa539f79d0e7d2f434f0b9effed31f6c8cef5f9a4037de343582fda1425c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\629af05e-3311-494f-aeb9-b89f7e158b1e

MD5 b4e8c8f2b88c7e100dc5950d63957278
SHA1 c6fc8dba5cec83891ad20c129cf6e509182dbb9a
SHA256 35e5157c76290db5b59140f352273e97df25f3da9c4478ad1abd6033c8c5efa2
SHA512 aa043d1a620f56e24afdf16eb11af22c300cf35c13c4b7ce5d5025a9518a6762ff91639d50bf506001152fbd1a8d6a6da9686a3e47fd8b3f5cea0f75bfb5d25c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\dca821b0-2807-4ff2-9026-341da2c6415d

MD5 119dc7291d5087ee5b605c17e71d6c0c
SHA1 bba3f010319662bfde956894da48f5632a6f6941
SHA256 07fe54cba46554004234774034b1996453ed5e1469fb4d41bf5e4a9f848ae755
SHA512 f13d3cb269ae20de137b3048cc7b217af15fd378ad477bc78ea22c22ab375f9210799bdcd618460be7fb9078284db9a50ed5a14fb644ad8ff2d103025bae95a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c09e14712fceb847b7dd6bc434f9bf96
SHA1 411f88cd1df0db05df389e38d50e042aa2cd1d8f
SHA256 59338c47345d89dab532828d55085e8e68b0127e7b78872554ad073676236f9b
SHA512 c3ea66366b98c6d1194c038b0e132f6c95bb39a267f20f2decdd4d1cf6d3b6efa5c72845da4bc5c82e994b582e839748d7a23dad4873232c367de84de25a0aee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js

MD5 99a524bf69dc34f70c27e5814ab39b06
SHA1 08da39c942af5218aa971ee1a71922497faf2c91
SHA256 00f2c0f9bcc734c95e3d9bce6aed07a41c7293c6db3691111a0bcebe22c4da65
SHA512 b0edafb654efd12dbaa33db8b65e051f4b838be0794cd37179b1273dcf860d1602540240971f97066737dbe0197ccbd0052f8bff198a4aef9d17536b8d5fe639

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js

MD5 39621aadd055be32ae7ecdad4826f5a4
SHA1 67f9bf2fb69fe37f2a81afd8f4ec70fd357da9bf
SHA256 1970da2176a612a4e4513c9f14bdbff681a1b900f41ba1c884bef088c3f5200a
SHA512 878eb79fc8dc8f87aaca0054589eed88f19b15ecf8202c63025c071f8cd8f061ba94b3dd88cb4db8827fbdb788722a6c62003a186724e5c32f790df8ace304ed

memory/2724-194-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ffd8c2ec63149bfe4a3ec7881f1e1204
SHA1 8311eedc745d5e6bf54868afef326f54bd10ec63
SHA256 479b64165308bda91e9fbae31f972e00c280b1c07dcdc447ba60607b43344f48
SHA512 f8a230286c048723ff6f268284c2f588c185a34aa4c8357aa68c8d6d61ea9da0c3409fbe35082d395e33073d7aceb9368b04a94ad67b33ebb2e125d06ab382be

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2724-216-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2724-215-0x0000000000B60000-0x0000000001128000-memory.dmp

memory/2724-220-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2724-219-0x0000000000B60000-0x0000000001128000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs-1.js

MD5 ee541e6926f62d4101f0eaf681dd6e8a
SHA1 c190034f46303cdce4ada4e33aca644a539cdf43
SHA256 4842c1671d1d85aabbfd489c7d821dbd663d0986c3883a9df1031a0211163c67
SHA512 800536fb698b8ac5c8d766afb54d1f255ce110187a5f52aaec90ba01ab3f9b8c578aae57ef561643cc660a04cdb0a3a7cb70bdc63716136f0b8514b4b10eee21

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8bf4123cff6f422810cc2c9faf7ac982
SHA1 2f34b630ff52cd7c3e4eed76f617509ffa842c30
SHA256 995fbb24e82e872b1c3b48af5ef2448040fe66ad4434eef15603a86e71e127a2
SHA512 ba3a28d7a42c62af04740a65b3591f6f7e0a25380b6cfa92d2f228cd739702136c6410798600805614adf6db693d4025218d51536a7ce2f0addbac50dc6e646e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

memory/2724-311-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2724-343-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2724-342-0x0000000000B60000-0x0000000001128000-memory.dmp

memory/2724-344-0x0000000000B60000-0x0000000001128000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 14:57

Reported

2024-05-02 15:00

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed6dcfe516c20b3c4e309f2529f456a5.exe /onboot" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "ed6dcfe516c20b3c4e309f2529f456a5.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "ed6dcfe516c20b3c4e309f2529f456a5.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed6dcfe516c20b3c4e309f2529f456a5.exe" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "122" C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3872 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3872 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4712 wrote to memory of 3940 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 4916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 2384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 2384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 2384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 2384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3940 wrote to memory of 2384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe

"C:\Users\Admin\AppData\Local\Temp\ed6dcfe516c20b3c4e309f2529f456a5.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.0.706957914\1524673899" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {201e82e5-765b-4bbf-98e1-c372d21adca5} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 1900 29751623758 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.1.1782322122\615773550" -parentBuildID 20230214051806 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c27d9f5-a94e-4f46-a3d2-0517556ecf6d} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 2492 29744885f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.2.484311824\138045719" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2992 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2982e80f-2854-4284-9a13-a70431746299} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 3008 29754558b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.3.2078606294\200376141" -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c040b44d-f27e-4b19-9db9-09ed597f4c8e} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 3980 297561c9e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.4.98373549\1568734183" -childID 3 -isForBrowser -prefsHandle 5064 -prefMapHandle 5072 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e49ffc94-b007-4871-bd7b-6ad856420232} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 4960 29757edbe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.5.1462371310\1982276022" -childID 4 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08290798-cb0a-4d39-a584-7b3decce5068} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 5224 29757ede558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.6.745831938\1352091709" -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a78657-911f-408c-a1b3-44c282c6d1a1} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 5416 29757edd358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3940.7.1250061811\1973740094" -childID 6 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5e5df31-5119-47cb-a9c6-5767079a5811} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 3092 2975894b958 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 23.79.56.45.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
N/A 127.0.0.1:59403 tcp
N/A 127.0.0.1:59409 tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 35.164.250.149:443 shavar.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 18.239.208.2:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 8.8.8.8:53 149.250.164.35.in-addr.arpa udp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 2.208.239.18.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 232.212.58.216.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
IE 52.111.236.23:443 tcp
US 169.61.27.133:443 registeridm.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/3872-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3872-15-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3872-14-0x0000000000640000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp

MD5 bc3a29e4033ac311fdff7ac0a4116a76
SHA1 186fc5bfd86b9ac8642a1c708b8bf7ee69f9ec3c
SHA256 e23afac1319e8362eefabc599539effe236a231857bf63c7bde2d1c32b7a20e5
SHA512 f7fe49f2d260efe1ab92b3cc913ecfa9fcf109a394e9a649f5a611f727972bf507b40df6be3016a109a94c8b8c78e5a9ca1228e68d00b7524451b65d101ae80c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp

MD5 791fd8fa3a20f6f91fa85adc126df745
SHA1 458a99b0cd87b5bf61974313247aa3c6a34b38ec
SHA256 9d4c9b25703e0dc6ebdf16befe4ca46d98970f4a02192cf2579aa5720d8cec1a
SHA512 83322ef371b85b07eda7a6c5b07909c80670ea88caae4a57b5bc6ff3e55c481fe8e32c8dd3099b59936a21356e5c6b7cd28b84aeb0af7002177c7b561119e806

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js

MD5 1d674a9357e2b6398c60116bd79fa8fd
SHA1 ebe39b4b7e72c9d9aec749dbbbbf0f602ead6185
SHA256 c5924c90047da70a6241069f5469074b2f2e605f221ec5200f75856e5bad49d0
SHA512 50707a82766ce2701e87ec4975c13b97085f6251a169a82d5d9032e7210fc768a5eb81dd761c484c7463f0061cd2096c3a5101fc9d13b7dc629b0c93fd5065ed

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/3872-134-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3872-149-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3872-148-0x0000000000640000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

MD5 eb3cbbb0a57b21951766595fa79867c5
SHA1 40f8e6ef306b3d6c071c09dfbcacc200f7e076ed
SHA256 880435f3f56d13e3d4e34865cc70fae085f5087907736c3e85855279140a8236
SHA512 281270441148b87f28d297165616563350cb770fff5f5a1d387f759f87ccfcc729ff6f469b0572119d155d569cff4cb322a255dea5fc7c61da9112b3f0fb6a8d

memory/3872-155-0x0000000000640000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js

MD5 58e51abb04faf66edcf7eb94c68f13ce
SHA1 4505e286eae94e4ccb4b5f6d5a522a5494e195cb
SHA256 d8b1546e1f5399b182bd541a4c5b2ffbb40e9abbcb938be909b3d224b22aaf6e
SHA512 ffab7c63f088dc372c2695dd22ed64f594591a42cd3c30b187da9bfa69e13799cb254c609e543e416a8cf35006b211764b84433e0180fba5c2fb92a10fd314a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

MD5 41733c80df131ca6ee1b3590843fbadb
SHA1 80437546cbaf5e7a2a73dee9b545ee03b36fc8e3
SHA256 5b5bc24ce90f6084426b1a187f77f8fe8de2901ca69eaf0b8598e4d8b04498c5
SHA512 0d6bf41c61d5d4973db2c320f03174cea735f7b1c2a27740cb48ecbb2131056aa21827ffebea625ef049b590a1773755911fc69146ba52152bd7d212d6eee48b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

MD5 4cfd7e5f061604a8f73967c279d6569b
SHA1 15678dfab8b14028976653018c523d0ce33d52f5
SHA256 bbc7d54083bffad934c3da09d7460b59d08bb5eaedd9b4ee9f7d6d5d7423a3c1
SHA512 83f36df90b193eaba94c2aaf8fd4cb6bbc5a8d965ada6fae8ea92e609f95845a5f7917107cde49256ca110d92b778b7d9ec36ff1710cfc3d5d0f1a1df987954a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

MD5 4acafadf2433171fcca763b1496d7189
SHA1 a521f833a61a91f53ee0b0c86d3aac62811b59cf
SHA256 1a0cba5e2f13b88d307b556323450d6a036e75824159759a556a806f89a8778e
SHA512 60239f0ed7146bb32a70530852a0e1ede60343760875a7ea4fd9c207b7a7347b3d27b52d77ab84089914897122a4d8f3042a34b0b648493162cc2109f8248bc4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 ac75a264867d3b8e89a48d9550044316
SHA1 0420955ff45b66890dc68c7ab3f92e0a217a334f
SHA256 668da17a51afcf77127eed42162bd6975b4abacf4127a19b9d68ad84b19f84b7
SHA512 fb692ee0aef34b423d5d373c4d337408baa607e8b589fb2a2004f22151dfc03c886256f345d1abb5bbe82f25d08cc0aae6c8a65e10a8a88279006db95cc7fc74

memory/3872-2151-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3872-2150-0x0000000000640000-0x0000000000C08000-memory.dmp