Malware Analysis Report

2024-12-07 03:04

Sample ID 241113-xy925sxglc
Target 0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15
SHA256 0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15
Tags
floxif adware backdoor discovery persistence phishing spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15

Threat Level: Known bad

The file 0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15 was found to be: Known bad.

Malicious Activity Summary

floxif adware backdoor discovery persistence phishing spyware stealer trojan upx

Floxif family

Floxif, Floodfix

Detects Floxif payload

Reads user/profile data of web browsers

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

A potential corporate email address has been identified in the URL: [email protected]

Installs/modifies Browser Helper Object

Adds Run key to start application

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:16

Reported

2024-11-13 19:19

Platform

win7-20241023-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe /onboot" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
File created \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
File created \??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2380 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 1996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe

"C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.0.1447602619\1095287986" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8756876-0865-417c-ba55-10f5dc97653b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1312 45dab58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.1.275280466\912029475" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {791666bd-70d8-4927-b17b-a73564bfaf90} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1528 e6fb58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.2.809224756\528510354" -childID 1 -isForBrowser -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {907eb30b-2863-4773-8772-926c7c25d623} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2144 1a89b858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.3.290116932\640576928" -childID 2 -isForBrowser -prefsHandle 2632 -prefMapHandle 2592 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfaa6fa4-ef42-4d71-b389-ee4deba79f2e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2644 e2d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.4.2073769267\1483672422" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3700 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e043382e-492f-4a00-adfd-89991cf498fa} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3744 1efbb258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.5.1307364528\89565984" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 3844 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c40c823-5b2e-4f2d-812e-89c37a01e33b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3848 1efbb558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.6.307757023\639894015" -childID 5 -isForBrowser -prefsHandle 3936 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4898d32e-4589-42c7-bff8-58106bb22e35} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 3924 1efb8e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.7.1950085289\1504859959" -childID 6 -isForBrowser -prefsHandle 2168 -prefMapHandle 2268 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6603aa1-726b-45ba-b0f5-a07c45aab1d7} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2224 21fa0558 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.79.19.196:80 www.aieov.com tcp
US 45.79.19.196:80 www.aieov.com tcp
N/A 127.0.0.1:49213 tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.129.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
N/A 127.0.0.1:49221 tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 addons.mozilla.org udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 45.79.19.196:80 www.aieov.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 45.79.19.196:80 www.aieov.com tcp
US 45.79.19.196:80 www.aieov.com tcp
US 45.79.19.196:80 www.aieov.com tcp
US 169.61.27.133:443 registeridm.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1484-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1D26E2\EADC8085CC.tmp

MD5 4ca381c087b83a48e7ca60c31f74bc77
SHA1 13e7c19e9423ad6df111bd529bf8a81492a2e89f
SHA256 a8ace11e1050c99d4c77f814ed20a3f184ba11afd680e2caafad4bb76532b759
SHA512 bdc1608045b6177b3c8ee556e9eb39e66330cc7fe6cd61e11143e303631380cfca63122bf07a3bf06467d65a93a889051f3f3996ca18d88161de1caf499cb6e8

memory/1484-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1484-15-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1484-13-0x0000000000120000-0x00000000006E8000-memory.dmp

\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

MD5 71d48ee7d3dc4d52f846474bc4a610ec
SHA1 c4d9a6665628034ecf5e1dc1ffe6d2b55c36aedd
SHA256 1108124b7fb7ef9d895c0acc961f61255add1663913dbc9d5dfd22139a6ddc81
SHA512 48d5f7fc7df0aae075250212024cf9e58385435f9d17b9b8f31c8684fb859cfd87e79088b108f8d8b1f2302129143e744129a65fc97c68c82d870cbd370583cd

\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

MD5 9032c8b1f17045a380c3e66d1eeee0fe
SHA1 c026fcc3e54ffabb4d0122b7049dc1a0b8791188
SHA256 c89e5933310905156d235716c17a49bcd7d2f877b265242ae4d2360b536f91cf
SHA512 65fd549e2759e9632f1a59c8fc385c39b2c9311aac57296a339202d3d4a001239b7eb0f0e4a82f1eef45eb0b8a4ecea19e2be1930f6a1e3c9a56f32d6c854d89

memory/1484-31-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1484-30-0x0000000000120000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\d95ec5f7-fff7-41fd-a4ab-29693f805675

MD5 d0ad9450d4506d730c91be61d71fc45e
SHA1 af7ede95be326edf87b9b0d6d1b2784d381227b5
SHA256 724ac59af3b366d5427f84db3e728a238c028e0dcb88834267cb55bd33adcf70
SHA512 5d025f212bf3815093f929aa44bfad8bcfd095b018b2a7eb1ac9541e5d8c0ae88dcfbac01ef217e3e4b4b5ca3ed6cb0269b494f4281903b74984173e19737548

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\5f26739d-1068-4c8f-aaee-6f78b1b19257

MD5 51aadee8e970c34507532eda8595cd36
SHA1 3fc4ecc497c9026a079998987b8373928bff6507
SHA256 88e132ae2fa18fc2938162ff17e11f7143c47e6147628487db3df7cffd4f582d
SHA512 0ca2fad103e4cf4c7670e7a24f39e0a050ceff3e29c32482473c77026e4d46e22f576e921527f74f62693c8ffb7d7abb8ddf43d02c09154907968ed881b7d3b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin

MD5 a473a95d6e6a60d5c9b5f73a9c9f5879
SHA1 d2b068801e81e535d4c2fd042270459c0a419f02
SHA256 0ec9a658468c9000005e114d9f731562b5bd37a748b6f2ae96ced8c6d8925b87
SHA512 3ae7d0ea2988d9c1b000a18e785b9ef303fef25dec7344c093ff6103355bdb4b05729b5c84b708a467f95ecd5884c11e07de1b242a2bcef9406d3ed5b80d192f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp

MD5 05576f286a90d69ffbe5096c197de58c
SHA1 123bbbbef0900f6021859139f23342c11bb7fe17
SHA256 0c781a7c8e16db5bcc24e4af1e603994bf9ac6368dc88bb2fed7868a3624fb4d
SHA512 16be40fe82320d48106014285984daf9ff60305b68f7814ae7bb327eeb7aa3fb0769b1373e2899208a030e0f8f83fc6e082ecc3028e45dd462d73238108239c7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 f99b4984bd93547ff4ab09d35b9ed6d5
SHA1 73bf4d313cb094bb6ead04460da9547106794007
SHA256 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512 cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

MD5 f16d313c7c98f54df5207a45dc07af38
SHA1 2c6ace812b5407c4a076dcc3b2615974424ade1d
SHA256 96c668aa265ca6c114271a62a29567b436968bc0936938327916fc116ecacc15
SHA512 89377f79a1869a0cf71d68245e9ea5c4a05684879c4506297694ead9cf83e2bce9112fa0046c301f536fe28613e913731d6ed50f44d517e3d4f26d12ec05df2d

memory/1484-204-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5b8b59ad294524f253cf6c5707263fad
SHA1 0320e48290d5241fda476384675de1e3fd503266
SHA256 d02df8b2fbdf34bda54f542dc619438f4f16397bd0eb9884ad46396cdf7b66de
SHA512 0a99944c470244c9ff9bcc65a262055a34e3914123cf60ebf3e2b3adcc14707703cc8520ffc0e5e58a77d3601378950753b970692b46fc4d043ff1fa865c963e

memory/1484-224-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1484-223-0x0000000000120000-0x00000000006E8000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/1484-230-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

MD5 7273e3373a29e53a8a8659f369346544
SHA1 90d1f467c56d48d3ebfb7a6b590ba47cfafabbaa
SHA256 d112997f7b17f2fa344a338a3bb8ba539c399cf2070f35d884ee13d45cafceeb
SHA512 40377cf95247caa425f7080a99e37c1f1c29f8ff4c821d9d37d61e6cf64d19ef5353c9e7fcb9b05cf2a61bc411032d83207b812609c9d8f90480aa270fb4d3b9

memory/1484-243-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1484-281-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1484-280-0x0000000000120000-0x00000000006E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 19:16

Reported

2024-11-13 19:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe /onboot" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 8 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1952 wrote to memory of 3916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 1176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 2636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 2636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3916 wrote to memory of 2636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe

"C:\Users\Admin\AppData\Local\Temp\0451b6e6c4fa6f188c9ab0c199794025ecec7c6d7918e399c148acbd0196af15.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c92c67c-e861-4500-827d-a5321225a477} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79830068-7b00-477a-8318-940b0540f792} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 2772 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6051ac62-18b5-4bfa-998b-921cc98467dd} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2828 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74e6dd5d-3f17-4283-9acf-7326672cd8b1} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4808 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07003e29-ecba-41d0-8a0d-2e185faca613} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5184 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa31bb4b-62d8-4ebf-9aa3-318b07361c43} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f7f0571-c483-446a-9196-16b6e1f657ab} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a7c7ae-6ce0-4d94-9321-91e8b0c75ed5} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 6 -isForBrowser -prefsHandle 3148 -prefMapHandle 2700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {939e40aa-42e1-4305-8ebd-c2f63031e66f} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.23.33.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:58396 tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.65.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 8.8.8.8:53 115.230.163.35.in-addr.arpa udp
US 8.8.8.8:53 91.65.101.151.in-addr.arpa udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com udp
N/A 127.0.0.1:58403 tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 45.33.23.183:80 www.aieov.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 172.217.169.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 172.217.169.78:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 169.61.27.133:443 registeridm.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.33.23.183:80 www.aieov.com tcp

Files

memory/8-3-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/8-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/8-12-0x0000000000230000-0x00000000007F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

MD5 b8b2beb5d42f0dae6e6924fbaad0d20c
SHA1 3046eadf477f672dbf19fdf6dce510080c183b6e
SHA256 6767e328eb544518cd31596eb36b8906113cf9457d8ddd1a3c534cf210eeb732
SHA512 cda4db498bc3fab1af321c57abafb4ee4b40259df0d8c26f958c042a72f6a9fd9cd77acf94c97effcfcafae458e90a8bc02247b283328fca19347253bcb424f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\c199e34f-1b2d-483b-beac-8af6908d3f6b

MD5 6baac9275869920917fb85afb7522289
SHA1 e489f4ef5c60a445befdcf69d2062d28a517840f
SHA256 66cd367c753971a313f9524b76fd22b6be8eda31bfae8a7492b2fe5b6f53bafe
SHA512 a373b146aa38ab9eb23d4938244e91f9ce88cc747244a6b2f1aab4e87a02da394a2256c91bad1c957c848b2b21c3d24d30e35f6786007133ab33f5086f54f09b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\e23cdbec-a631-4275-9209-007b217574d1

MD5 7999c1ae30574e2f0bad5cdcfeb52606
SHA1 f5f38d8173de9a7cfd6f4990b68b24e50d58c6c0
SHA256 64f59ba97a4751a5fd876c518e52d26b28999098df83ebea0989ef5364651727
SHA512 477544ca987985313b724049fecd4101fbb72871b861e359ad49314f7cb89b0d24ee47d7cbb2237fa83806663921fe43292358c79faee9bb1c1683bfba733738

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\cc007c7d-f13d-4284-b6f4-6f25f8b65fb7

MD5 666968863c8291475f253ced4601d736
SHA1 b1b15506aef1cec90b36edf60667128762be43a1
SHA256 a5e97ee23d83b778dc96912eac1b853ac4daf875cbf6b4815ac92bd28f46260a
SHA512 c7725156b3dac1460a4715540f644a14221a34a5ff8b76e712c638a4b8a771ad035280d2bae689862fa80ac2265fd8c68391daec896256306a8e6e598f5cb58f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 bda6163e9e5e4b43a37e9bd5729c9540
SHA1 d297d6b54b567d3312b4360d3ff45e8dc60aaf8d
SHA256 1a20ce1cd77e0aa642adfb29abc697029864739a3c7a646ef25c8d0614a3f706
SHA512 6bc63759545f7073dc366c4385094a27395b2b634d059fb0142caf66a13eab176eaa9f1e5a01ab7fe9e92cee7b7ca83acf04344652726da3caa2127750b2c94e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 6c5342f1fa8ae488ec912f1ae62070e6
SHA1 3aaa13e9c87f0baaf14a9c749181a5958ddfba49
SHA256 8df63e33124501b979e56dda85ec9a314a2c003c481b03cb9242ef756614f026
SHA512 9bc3992d37971b7724c739eb08ad2ae2bbc47efefd7341cad1d81254c0ceaa32155690372f3fdc0015e78f3ee1250ec55f004c12ddb0a8acb755121aa7507261

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

MD5 fce3210bced14a2e9d11b2300b5076dd
SHA1 8df83dfb90dd676cfc2874b24b15b5568ceba22d
SHA256 c02ec12ceb4ded9ecdffd52fc8e22813fd11aa71c71d774e91ec8341b5fb3ffa
SHA512 3ce43bf795fed3d309bb74111155ce8aab40716fb3a6ff2f97340efa9a8c155e65ff3ec4971556561bb2c0f4717924456a61390dea80b664fc4f391cefa04874

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

MD5 63778397934314a8c4fbea595706a09f
SHA1 6f9f50fcfb6b31c26fac39f77effcbd1cab7a95e
SHA256 ef58f259479ceb67ee55624b95a6b6e87e297b5329981d2af3980216d13fe7e1
SHA512 ce911ceb8d5d056daca23bdf9bc3d6aeea025501ac2680cffa23be7785a3e3296ab24283e775e675a9bd515e57185df72a682efd9b0ea1dc92b6d4b47d01f525

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

MD5 9b8d776bb1384ee5187019e353bb2429
SHA1 ca6eaf8f0554823e90589d3bc11395871b562348
SHA256 31e1b44d3a89b9b2a7be84d67c5e47dbe2f3b7212c92d44b65a3729bdd4878ad
SHA512 bf0de77d25be1a80643447b8c69ec0d4b9cb3aa41dcc5300007d15170c2a7e888ac645955731f114cd10454a20e04dd833989798ba3cb2883a72c9f6d9f1a31e

memory/8-393-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/8-409-0x0000000010000000-0x0000000010030000-memory.dmp

memory/8-408-0x0000000000230000-0x00000000007F8000-memory.dmp

memory/8-414-0x0000000000230000-0x00000000007F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

MD5 990cd6b606e506cc967f031398a5c31f
SHA1 0ac678db7269b6acb7ddbbd64b658bef9aa81059
SHA256 be761379f81940840748e759c89ce2bbf9dfdd655a0724080b5952116369bb20
SHA512 ee44e1909595eaea0282332e6a476256d2cb0e49d894b6ada2c242c358d12e344f3fa71d7b42f9b3b1446c264afdb112737786837e2bd1f12eb8e375e71fb746

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 ef205c3ea5027d39f96b6d40c5884d44
SHA1 a0931750dd8ce59dd64c61d0fde3a080a505ebcd
SHA256 d244592052f2f91967a99fd6d8a3a3525e54755cdce71e7dcc90954b7db2b91a
SHA512 ed0f7b88522dcd6e9e9f04805a69faafe2b2066d1c36c2203bccba727bfe498e4f5d9b43f6558515a644ffaca28dbe87af24e0eb32afd8c416a359fae3e2cc3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4

MD5 40c3e22bf345308302ac36beae60aa1e
SHA1 66dd3998c9ee77fdfa7edb92a3834245cf9e41b5
SHA256 3ff04b8c5c08a50d986de2aa71fcff1a45b5b689424d90454e4a4220d1ccae40
SHA512 33259e9c65f42480f2799ea701488491c9983a1d35ceac65773b5366a01b38d9f2ab3755720bb6a4062d1e1b4c871dd5a63cd625b6ea47f2a62a89468ac739e5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

MD5 11c4b1d6c47c91083f15e75e82ed6f12
SHA1 eb6eaad13b113bf742bc5216a4cf75450c6cb980
SHA256 2ead44bc76c9fd9705e9dee6b885e7d9226ff4bbf52822406febaa8700ba9c61
SHA512 8dadd64ea4d98ad0223e8c8250a314906fdb141c0ddf9a4cda2a9dbb38e5c6e5cb4b91de548c54cc4e7a0363d8eed2540453b02316411a394d5b582729e1d185

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3f3044de20a9f1bc239eb401cb6fa040
SHA1 6ea38b9f2581aa237c5a0db035ab7f35f4588ba7
SHA256 c09f35d745c2288f830e3e92183da2a00882f2e59b610388bec553870b75247e
SHA512 45d3f1fff94212cf77d58c081cecc012e2cab16d7daa871a657f62b11274ce81b9641e45f6b8083aacb2e01f13f862b56d13809862393e8e64e7bbde4939460c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 712c90a75e4dc3ad6239aff0627163a3
SHA1 c5ad23aa7e8a38e1de89af98f8f57e97642fea5e
SHA256 615b4272e3810109306595d8e4bf8ff3720df2010304243a4299226aeb0f6031
SHA512 aa5333758a39d90d173749d90985ef645c9ec29c860226faaff3b33a0b31bbb9d908369893b97347b73f050eac8fd3fa13271916955346b0579968927a8d5488

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

MD5 a5dbe2a91575fdffae74432034a15bf1
SHA1 5291655ffd91b51b6c44879d6b886ceff36072db
SHA256 1cf9df824f966e1caa9d615b4f5b49b3ec46de059c747d79554b389bd15c1a80
SHA512 2a79784b58ec4e89bf1b377a741007066b27d47f9f87d5a5a8066dec0c21cc46bf560b124d5fa738c39f1d438cf61c2eeb0519881f136d933c8fef4a02493872

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

MD5 8eb0849946bc569c6f708ba9c1f4314d
SHA1 9a9d2ccc301bb3a9431c9880d6e2f154e5e9e297
SHA256 bae6ade65bb1ca462d9cb63c238fb8f78e9c1047ec410d73196bef9aa954c022
SHA512 f297218df920e4d339417465d05acfe49f753127235355d8d3b32c79c1ee923800cce535ceb12932ed2a40998821b6570044fc50327836b11750127f6cc1cb21

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

MD5 5db6ae4cc70b6638dbf61becdc6fccba
SHA1 f7f7abe15cbd7fed61f87abf61af218b6e2417e3
SHA256 8784bf170e834e96f204269d495084baa5882fe2507ca505de83be11a8667db4
SHA512 dc4965265c6b0a48a5a538a9b226a5d9e2a8e2064fec39228c602da00229c1db17deaf84f3d4fd6f33b94152af44cb5fbe34b3ff3e9a5a9d6ffd7e8fb45faadd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 70c54f086d11a7efaf819269fce05c2b
SHA1 38d312bbfe7361f2b33a168d793fabe94a532b85
SHA256 e99512472d17d89d2ff20d7369a7e615496ea9e4415777a097757dd543299939
SHA512 961fa8d83ae58d664bad7cfef8941f821bb55dd576d94936315a4bfc5cc8fac95350f9b5fd6a8222a32fa1163f839f8aafb5eddb4c375514b7848264243cd4e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

MD5 ba817cccb3df23b9351149917ce66f7f
SHA1 81fd80558d1cbbcdb4493e3d1e158641774413fb
SHA256 05e873e16357632f7a0cd1711e713603894482277edfc198ba459fd8aed7a265
SHA512 9744fb1288dfcc8904ddaaf05083534c2ce21230b89ed8804dccf72bf39c98120729f99f868adc9745e02a7002903a6211acf38dfac62fca214363a0c4872390

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 8f38694893eb898245451d2b7985cb0b
SHA1 17330c223799e96a360addcdec2c9da19bd64c42
SHA256 58af9769f52b1af16ec33ee44e626974420d3ab0e7eef4431f3e09eb52491dda
SHA512 849f10f2a358c790f96379d3899d6095d74907764784b4203476bc9d380f7cb4760d90420ca6da9561ec97179db9917aa869c2b8d872fd7480018badf6ffc516

memory/8-2564-0x0000000010000000-0x0000000010030000-memory.dmp

memory/8-2563-0x0000000000230000-0x00000000007F8000-memory.dmp