Analysis Overview
SHA256
0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15
Threat Level: Known bad
The file 0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15 was found to be: Known bad.
Malicious Activity Summary
Floxif family
Floxif, Floodfix
Detects Floxif payload
Reads user/profile data of web browsers
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
A potential corporate email address has been identified in the URL: [email protected]
Installs/modifies Browser Helper Object
Adds Run key to start application
Enumerates connected drives
UPX packed file
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:16
Reported
2024-11-13 19:19
Platform
win7-20241023-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
A potential corporate email address has been identified in the URL: [email protected]
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe /onboot" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe
"C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.0.1447602619\1095287986" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8756876-0865-417c-ba55-10f5dc97653b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1312 45dab58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.1.275280466\912029475" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {791666bd-70d8-4927-b17b-a73564bfaf90} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1528 e6fb58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.2.809224756\528510354" -childID 1 -isForBrowser -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {907eb30b-2863-4773-8772-926c7c25d623} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2144 1a89b858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.3.290116932\640576928" -childID 2 -isForBrowser -prefsHandle 2632 -prefMapHandle 2592 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfaa6fa4-ef42-4d71-b389-ee4deba79f2e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2644 e2d258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.4.2073769267\1483672422" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3700 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e043382e-492f-4a00-adfd-89991cf498fa} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3744 1efbb258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.5.1307364528\89565984" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 3844 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c40c823-5b2e-4f2d-812e-89c37a01e33b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3848 1efbb558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.6.307757023\639894015" -childID 5 -isForBrowser -prefsHandle 3936 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4898d32e-4589-42c7-bff8-58106bb22e35} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3924 1efb8e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.7.1950085289\1504859959" -childID 6 -isForBrowser -prefsHandle 2168 -prefMapHandle 2268 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6603aa1-726b-45ba-b0f5-a07c45aab1d7} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2224 21fa0558 tab
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| N/A | 127.0.0.1:49213 | tcp | |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 151.101.129.91:443 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| N/A | 127.0.0.1:49221 | tcp | |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | test.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | secure.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror3.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror5.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | registeridm.com | udp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| US | 169.61.27.133:443 | registeridm.com | tcp |
Files
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/1484-3-0x0000000010000000-0x0000000010030000-memory.dmp
\Users\Admin\AppData\Local\Temp\A1D26E2\EADC8085CC.tmp
| MD5 | 4ca381c087b83a48e7ca60c31f74bc77 |
| SHA1 | 13e7c19e9423ad6df111bd529bf8a81492a2e89f |
| SHA256 | a8ace11e1050c99d4c77f814ed20a3f184ba11afd680e2caafad4bb76532b759 |
| SHA512 | bdc1608045b6177b3c8ee556e9eb39e66330cc7fe6cd61e11143e303631380cfca63122bf07a3bf06467d65a93a889051f3f3996ca18d88161de1caf499cb6e8 |
memory/1484-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1484-15-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1484-13-0x0000000000120000-0x00000000006E8000-memory.dmp
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp
| MD5 | 71d48ee7d3dc4d52f846474bc4a610ec |
| SHA1 | c4d9a6665628034ecf5e1dc1ffe6d2b55c36aedd |
| SHA256 | 1108124b7fb7ef9d895c0acc961f61255add1663913dbc9d5dfd22139a6ddc81 |
| SHA512 | 48d5f7fc7df0aae075250212024cf9e58385435f9d17b9b8f31c8684fb859cfd87e79088b108f8d8b1f2302129143e744129a65fc97c68c82d870cbd370583cd |
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp
| MD5 | 9032c8b1f17045a380c3e66d1eeee0fe |
| SHA1 | c026fcc3e54ffabb4d0122b7049dc1a0b8791188 |
| SHA256 | c89e5933310905156d235716c17a49bcd7d2f877b265242ae4d2360b536f91cf |
| SHA512 | 65fd549e2759e9632f1a59c8fc385c39b2c9311aac57296a339202d3d4a001239b7eb0f0e4a82f1eef45eb0b8a4ecea19e2be1930f6a1e3c9a56f32d6c854d89 |
memory/1484-31-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1484-30-0x0000000000120000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\d95ec5f7-fff7-41fd-a4ab-29693f805675
| MD5 | d0ad9450d4506d730c91be61d71fc45e |
| SHA1 | af7ede95be326edf87b9b0d6d1b2784d381227b5 |
| SHA256 | 724ac59af3b366d5427f84db3e728a238c028e0dcb88834267cb55bd33adcf70 |
| SHA512 | 5d025f212bf3815093f929aa44bfad8bcfd095b018b2a7eb1ac9541e5d8c0ae88dcfbac01ef217e3e4b4b5ca3ed6cb0269b494f4281903b74984173e19737548 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\5f26739d-1068-4c8f-aaee-6f78b1b19257
| MD5 | 51aadee8e970c34507532eda8595cd36 |
| SHA1 | 3fc4ecc497c9026a079998987b8373928bff6507 |
| SHA256 | 88e132ae2fa18fc2938162ff17e11f7143c47e6147628487db3df7cffd4f582d |
| SHA512 | 0ca2fad103e4cf4c7670e7a24f39e0a050ceff3e29c32482473c77026e4d46e22f576e921527f74f62693c8ffb7d7abb8ddf43d02c09154907968ed881b7d3b3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
| MD5 | a473a95d6e6a60d5c9b5f73a9c9f5879 |
| SHA1 | d2b068801e81e535d4c2fd042270459c0a419f02 |
| SHA256 | 0ec9a658468c9000005e114d9f731562b5bd37a748b6f2ae96ced8c6d8925b87 |
| SHA512 | 3ae7d0ea2988d9c1b000a18e785b9ef303fef25dec7344c093ff6103355bdb4b05729b5c84b708a467f95ecd5884c11e07de1b242a2bcef9406d3ed5b80d192f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 05576f286a90d69ffbe5096c197de58c |
| SHA1 | 123bbbbef0900f6021859139f23342c11bb7fe17 |
| SHA256 | 0c781a7c8e16db5bcc24e4af1e603994bf9ac6368dc88bb2fed7868a3624fb4d |
| SHA512 | 16be40fe82320d48106014285984daf9ff60305b68f7814ae7bb327eeb7aa3fb0769b1373e2899208a030e0f8f83fc6e082ecc3028e45dd462d73238108239c7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | f99b4984bd93547ff4ab09d35b9ed6d5 |
| SHA1 | 73bf4d313cb094bb6ead04460da9547106794007 |
| SHA256 | 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069 |
| SHA512 | cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js
| MD5 | f16d313c7c98f54df5207a45dc07af38 |
| SHA1 | 2c6ace812b5407c4a076dcc3b2615974424ade1d |
| SHA256 | 96c668aa265ca6c114271a62a29567b436968bc0936938327916fc116ecacc15 |
| SHA512 | 89377f79a1869a0cf71d68245e9ea5c4a05684879c4506297694ead9cf83e2bce9112fa0046c301f536fe28613e913731d6ed50f44d517e3d4f26d12ec05df2d |
memory/1484-204-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5b8b59ad294524f253cf6c5707263fad |
| SHA1 | 0320e48290d5241fda476384675de1e3fd503266 |
| SHA256 | d02df8b2fbdf34bda54f542dc619438f4f16397bd0eb9884ad46396cdf7b66de |
| SHA512 | 0a99944c470244c9ff9bcc65a262055a34e3914123cf60ebf3e2b3adcc14707703cc8520ffc0e5e58a77d3601378950753b970692b46fc4d043ff1fa865c963e |
memory/1484-224-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1484-223-0x0000000000120000-0x00000000006E8000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/1484-230-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js
| MD5 | 7273e3373a29e53a8a8659f369346544 |
| SHA1 | 90d1f467c56d48d3ebfb7a6b590ba47cfafabbaa |
| SHA256 | d112997f7b17f2fa344a338a3bb8ba539c399cf2070f35d884ee13d45cafceeb |
| SHA512 | 40377cf95247caa425f7080a99e37c1f1c29f8ff4c821d9d37d61e6cf64d19ef5353c9e7fcb9b05cf2a61bc411032d83207b812609c9d8f90480aa270fb4d3b9 |
memory/1484-243-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1484-281-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1484-280-0x0000000000120000-0x00000000006E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:16
Reported
2024-11-13 19:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
A potential corporate email address has been identified in the URL: [email protected]
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe /onboot" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe
"C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c92c67c-e861-4500-827d-a5321225a477} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79830068-7b00-477a-8318-940b0540f792} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 2772 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6051ac62-18b5-4bfa-998b-921cc98467dd} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2828 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74e6dd5d-3f17-4283-9acf-7326672cd8b1} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4808 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07003e29-ecba-41d0-8a0d-2e185faca613} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5184 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa31bb4b-62d8-4ebf-9aa3-318b07361c43} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f7f0571-c483-446a-9196-16b6e1f657ab} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a7c7ae-6ce0-4d94-9321-91e8b0c75ed5} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 6 -isForBrowser -prefsHandle 3148 -prefMapHandle 2700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {939e40aa-42e1-4305-8ebd-c2f63031e66f} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.23.33.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| N/A | 127.0.0.1:58396 | tcp | |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | 133.27.61.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.230.163.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.101.151.in-addr.arpa | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 232.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| N/A | 127.0.0.1:58403 | tcp | |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | test.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | secure.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror3.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror5.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | registeridm.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.175.125.74.in-addr.arpa | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 169.61.27.133:443 | registeridm.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.23.183:80 | www.aieov.com | tcp |
Files
memory/8-3-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/8-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/8-12-0x0000000000230000-0x00000000007F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
| MD5 | b8b2beb5d42f0dae6e6924fbaad0d20c |
| SHA1 | 3046eadf477f672dbf19fdf6dce510080c183b6e |
| SHA256 | 6767e328eb544518cd31596eb36b8906113cf9457d8ddd1a3c534cf210eeb732 |
| SHA512 | cda4db498bc3fab1af321c57abafb4ee4b40259df0d8c26f958c042a72f6a9fd9cd77acf94c97effcfcafae458e90a8bc02247b283328fca19347253bcb424f5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\c199e34f-1b2d-483b-beac-8af6908d3f6b
| MD5 | 6baac9275869920917fb85afb7522289 |
| SHA1 | e489f4ef5c60a445befdcf69d2062d28a517840f |
| SHA256 | 66cd367c753971a313f9524b76fd22b6be8eda31bfae8a7492b2fe5b6f53bafe |
| SHA512 | a373b146aa38ab9eb23d4938244e91f9ce88cc747244a6b2f1aab4e87a02da394a2256c91bad1c957c848b2b21c3d24d30e35f6786007133ab33f5086f54f09b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\e23cdbec-a631-4275-9209-007b217574d1
| MD5 | 7999c1ae30574e2f0bad5cdcfeb52606 |
| SHA1 | f5f38d8173de9a7cfd6f4990b68b24e50d58c6c0 |
| SHA256 | 64f59ba97a4751a5fd876c518e52d26b28999098df83ebea0989ef5364651727 |
| SHA512 | 477544ca987985313b724049fecd4101fbb72871b861e359ad49314f7cb89b0d24ee47d7cbb2237fa83806663921fe43292358c79faee9bb1c1683bfba733738 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\cc007c7d-f13d-4284-b6f4-6f25f8b65fb7
| MD5 | 666968863c8291475f253ced4601d736 |
| SHA1 | b1b15506aef1cec90b36edf60667128762be43a1 |
| SHA256 | a5e97ee23d83b778dc96912eac1b853ac4daf875cbf6b4815ac92bd28f46260a |
| SHA512 | c7725156b3dac1460a4715540f644a14221a34a5ff8b76e712c638a4b8a771ad035280d2bae689862fa80ac2265fd8c68391daec896256306a8e6e598f5cb58f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | bda6163e9e5e4b43a37e9bd5729c9540 |
| SHA1 | d297d6b54b567d3312b4360d3ff45e8dc60aaf8d |
| SHA256 | 1a20ce1cd77e0aa642adfb29abc697029864739a3c7a646ef25c8d0614a3f706 |
| SHA512 | 6bc63759545f7073dc366c4385094a27395b2b634d059fb0142caf66a13eab176eaa9f1e5a01ab7fe9e92cee7b7ca83acf04344652726da3caa2127750b2c94e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 6c5342f1fa8ae488ec912f1ae62070e6 |
| SHA1 | 3aaa13e9c87f0baaf14a9c749181a5958ddfba49 |
| SHA256 | 8df63e33124501b979e56dda85ec9a314a2c003c481b03cb9242ef756614f026 |
| SHA512 | 9bc3992d37971b7724c739eb08ad2ae2bbc47efefd7341cad1d81254c0ceaa32155690372f3fdc0015e78f3ee1250ec55f004c12ddb0a8acb755121aa7507261 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
| MD5 | fce3210bced14a2e9d11b2300b5076dd |
| SHA1 | 8df83dfb90dd676cfc2874b24b15b5568ceba22d |
| SHA256 | c02ec12ceb4ded9ecdffd52fc8e22813fd11aa71c71d774e91ec8341b5fb3ffa |
| SHA512 | 3ce43bf795fed3d309bb74111155ce8aab40716fb3a6ff2f97340efa9a8c155e65ff3ec4971556561bb2c0f4717924456a61390dea80b664fc4f391cefa04874 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js
| MD5 | 63778397934314a8c4fbea595706a09f |
| SHA1 | 6f9f50fcfb6b31c26fac39f77effcbd1cab7a95e |
| SHA256 | ef58f259479ceb67ee55624b95a6b6e87e297b5329981d2af3980216d13fe7e1 |
| SHA512 | ce911ceb8d5d056daca23bdf9bc3d6aeea025501ac2680cffa23be7785a3e3296ab24283e775e675a9bd515e57185df72a682efd9b0ea1dc92b6d4b47d01f525 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
| MD5 | 9b8d776bb1384ee5187019e353bb2429 |
| SHA1 | ca6eaf8f0554823e90589d3bc11395871b562348 |
| SHA256 | 31e1b44d3a89b9b2a7be84d67c5e47dbe2f3b7212c92d44b65a3729bdd4878ad |
| SHA512 | bf0de77d25be1a80643447b8c69ec0d4b9cb3aa41dcc5300007d15170c2a7e888ac645955731f114cd10454a20e04dd833989798ba3cb2883a72c9f6d9f1a31e |
memory/8-393-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/8-409-0x0000000010000000-0x0000000010030000-memory.dmp
memory/8-408-0x0000000000230000-0x00000000007F8000-memory.dmp
memory/8-414-0x0000000000230000-0x00000000007F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js
| MD5 | 990cd6b606e506cc967f031398a5c31f |
| SHA1 | 0ac678db7269b6acb7ddbbd64b658bef9aa81059 |
| SHA256 | be761379f81940840748e759c89ce2bbf9dfdd655a0724080b5952116369bb20 |
| SHA512 | ee44e1909595eaea0282332e6a476256d2cb0e49d894b6ada2c242c358d12e344f3fa71d7b42f9b3b1446c264afdb112737786837e2bd1f12eb8e375e71fb746 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | ef205c3ea5027d39f96b6d40c5884d44 |
| SHA1 | a0931750dd8ce59dd64c61d0fde3a080a505ebcd |
| SHA256 | d244592052f2f91967a99fd6d8a3a3525e54755cdce71e7dcc90954b7db2b91a |
| SHA512 | ed0f7b88522dcd6e9e9f04805a69faafe2b2066d1c36c2203bccba727bfe498e4f5d9b43f6558515a644ffaca28dbe87af24e0eb32afd8c416a359fae3e2cc3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 40c3e22bf345308302ac36beae60aa1e |
| SHA1 | 66dd3998c9ee77fdfa7edb92a3834245cf9e41b5 |
| SHA256 | 3ff04b8c5c08a50d986de2aa71fcff1a45b5b689424d90454e4a4220d1ccae40 |
| SHA512 | 33259e9c65f42480f2799ea701488491c9983a1d35ceac65773b5366a01b38d9f2ab3755720bb6a4062d1e1b4c871dd5a63cd625b6ea47f2a62a89468ac739e5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
| MD5 | 11c4b1d6c47c91083f15e75e82ed6f12 |
| SHA1 | eb6eaad13b113bf742bc5216a4cf75450c6cb980 |
| SHA256 | 2ead44bc76c9fd9705e9dee6b885e7d9226ff4bbf52822406febaa8700ba9c61 |
| SHA512 | 8dadd64ea4d98ad0223e8c8250a314906fdb141c0ddf9a4cda2a9dbb38e5c6e5cb4b91de548c54cc4e7a0363d8eed2540453b02316411a394d5b582729e1d185 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 3f3044de20a9f1bc239eb401cb6fa040 |
| SHA1 | 6ea38b9f2581aa237c5a0db035ab7f35f4588ba7 |
| SHA256 | c09f35d745c2288f830e3e92183da2a00882f2e59b610388bec553870b75247e |
| SHA512 | 45d3f1fff94212cf77d58c081cecc012e2cab16d7daa871a657f62b11274ce81b9641e45f6b8083aacb2e01f13f862b56d13809862393e8e64e7bbde4939460c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244
| MD5 | 712c90a75e4dc3ad6239aff0627163a3 |
| SHA1 | c5ad23aa7e8a38e1de89af98f8f57e97642fea5e |
| SHA256 | 615b4272e3810109306595d8e4bf8ff3720df2010304243a4299226aeb0f6031 |
| SHA512 | aa5333758a39d90d173749d90985ef645c9ec29c860226faaff3b33a0b31bbb9d908369893b97347b73f050eac8fd3fa13271916955346b0579968927a8d5488 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js
| MD5 | a5dbe2a91575fdffae74432034a15bf1 |
| SHA1 | 5291655ffd91b51b6c44879d6b886ceff36072db |
| SHA256 | 1cf9df824f966e1caa9d615b4f5b49b3ec46de059c747d79554b389bd15c1a80 |
| SHA512 | 2a79784b58ec4e89bf1b377a741007066b27d47f9f87d5a5a8066dec0c21cc46bf560b124d5fa738c39f1d438cf61c2eeb0519881f136d933c8fef4a02493872 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
| MD5 | 8eb0849946bc569c6f708ba9c1f4314d |
| SHA1 | 9a9d2ccc301bb3a9431c9880d6e2f154e5e9e297 |
| SHA256 | bae6ade65bb1ca462d9cb63c238fb8f78e9c1047ec410d73196bef9aa954c022 |
| SHA512 | f297218df920e4d339417465d05acfe49f753127235355d8d3b32c79c1ee923800cce535ceb12932ed2a40998821b6570044fc50327836b11750127f6cc1cb21 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
| MD5 | 5db6ae4cc70b6638dbf61becdc6fccba |
| SHA1 | f7f7abe15cbd7fed61f87abf61af218b6e2417e3 |
| SHA256 | 8784bf170e834e96f204269d495084baa5882fe2507ca505de83be11a8667db4 |
| SHA512 | dc4965265c6b0a48a5a538a9b226a5d9e2a8e2064fec39228c602da00229c1db17deaf84f3d4fd6f33b94152af44cb5fbe34b3ff3e9a5a9d6ffd7e8fb45faadd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 70c54f086d11a7efaf819269fce05c2b |
| SHA1 | 38d312bbfe7361f2b33a168d793fabe94a532b85 |
| SHA256 | e99512472d17d89d2ff20d7369a7e615496ea9e4415777a097757dd543299939 |
| SHA512 | 961fa8d83ae58d664bad7cfef8941f821bb55dd576d94936315a4bfc5cc8fac95350f9b5fd6a8222a32fa1163f839f8aafb5eddb4c375514b7848264243cd4e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | ba817cccb3df23b9351149917ce66f7f |
| SHA1 | 81fd80558d1cbbcdb4493e3d1e158641774413fb |
| SHA256 | 05e873e16357632f7a0cd1711e713603894482277edfc198ba459fd8aed7a265 |
| SHA512 | 9744fb1288dfcc8904ddaaf05083534c2ce21230b89ed8804dccf72bf39c98120729f99f868adc9745e02a7002903a6211acf38dfac62fca214363a0c4872390 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
| MD5 | 8f38694893eb898245451d2b7985cb0b |
| SHA1 | 17330c223799e96a360addcdec2c9da19bd64c42 |
| SHA256 | 58af9769f52b1af16ec33ee44e626974420d3ab0e7eef4431f3e09eb52491dda |
| SHA512 | 849f10f2a358c790f96379d3899d6095d74907764784b4203476bc9d380f7cb4760d90420ca6da9561ec97179db9917aa869c2b8d872fd7480018badf6ffc516 |
memory/8-2564-0x0000000010000000-0x0000000010030000-memory.dmp
memory/8-2563-0x0000000000230000-0x00000000007F8000-memory.dmp