Analysis
-
max time kernel
118s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
Resource
win7-20240903-en
General
-
Target
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
-
Size
5.8MB
-
MD5
c5ef60a303d415772ed3c3445b45d690
-
SHA1
092298141ece7234ebded0500dadbbf5c05fb24e
-
SHA256
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8
-
SHA512
f1c07b789e7d190b03bceb367937b2530910d98f83cdc9bf3b5f7c80a13509dea0e6b71136deeb5cd4a559826456bec7304cc6ce9b88b687a88399cdbc3a1052
-
SSDEEP
98304:SvcBPAQeGPUP471te18frP3wbzWFimaI7dlot1:SSoQ9/1dgbzWFimaI7dlo1
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a0000000120d6-1.dat floxif -
A potential corporate email address has been identified in the URL: [email protected]
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x000a0000000120d6-1.dat acprotect -
Loads dropped DLL 4 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exepid Process 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exedescription ioc Process File opened (read-only) \??\e: 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Processes:
resource yara_rule behavioral1/memory/2248-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/files/0x000a0000000120d6-1.dat upx behavioral1/memory/2248-15-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-14-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-28-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-212-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-252-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-263-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-284-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2248-297-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 6 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exedescription ioc Process File created \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe File opened for modification \??\c:\program files\mozilla firefox\uninstall\helper.exe 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe File created \??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe File created C:\Program Files\Common Files\System\symsrv.dll 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe File opened for modification \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Modifies registry class 19 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exefirefox.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exepid Process 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exepid Process 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exefirefox.exedescription pid Process Token: SeDebugPrivilege 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Token: SeRestorePrivilege 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe Token: SeDebugPrivilege 2800 firefox.exe Token: SeDebugPrivilege 2800 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
firefox.exe14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exepid Process 2800 firefox.exe 2800 firefox.exe 2800 firefox.exe 2800 firefox.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
firefox.exe14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exepid Process 2800 firefox.exe 2800 firefox.exe 2800 firefox.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exepid Process 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exefirefox.exefirefox.exedescription pid Process procid_target PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 1428 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 32 PID 2248 wrote to memory of 2856 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 34 PID 2248 wrote to memory of 2856 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 34 PID 2248 wrote to memory of 2856 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 34 PID 2248 wrote to memory of 2856 2248 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe 34 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2856 wrote to memory of 2800 2856 firefox.exe 35 PID 2800 wrote to memory of 2816 2800 firefox.exe 36 PID 2800 wrote to memory of 2816 2800 firefox.exe 36 PID 2800 wrote to memory of 2816 2800 firefox.exe 36 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 PID 2800 wrote to memory of 1952 2800 firefox.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:1428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html2⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.0.650493998\1338513965" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97ab5ab-cdc3-4717-a1f8-edcceafcde11} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1288 127f3e58 gpu4⤵PID:2816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.1.2058340583\1441439140" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae40625-26d3-4d15-8ce4-9816fcedaf36} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1504 f6fe58 socket4⤵PID:1952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.2.1098539955\584139531" -childID 1 -isForBrowser -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db524ad8-d181-49f1-aaf6-92fd11028910} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2176 1adad758 tab4⤵PID:2772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.3.1501579381\652999859" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00799068-0114-4da1-986c-cbf16b4bf6aa} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2824 1df84a58 tab4⤵PID:1852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.4.828641871\1565578770" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3712 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e93ea8-bc2e-47cb-8067-23f790ace86d} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3724 1f74c258 tab4⤵PID:2756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.5.246731019\1536465589" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cac9240d-6ed2-46a8-a978-b2574b77fa1a} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3820 1f74fb58 tab4⤵PID:2172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.6.72649514\701880406" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3840 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f51bffc2-1c0a-4d47-947c-f5ebfe48c7d6} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3884 1f74f558 tab4⤵PID:2796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.7.14676614\1244772850" -childID 6 -isForBrowser -prefsHandle 1708 -prefMapHandle 2736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9c571c0-81f5-4225-a262-cc262570a32e} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2084 22636158 tab4⤵PID:2420
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:904
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD52bae4b1b5ae9107e640b7a9c7e91a8a9
SHA1481790ea18a5975aacbeea7710da4a40d10a6a7c
SHA25606d489a3f7e4a40fcc33bc35954f4a3b96ac822aa42d8a47e186894084e0da02
SHA512e40bd3f94268c484e39b9bcf96d6623d8528f74e430486c8e1696942a922cdd264b93980e2d5b8b1e6cde84300c58444b55d686a7ff53aa12ef1d8b7e0dd4c2b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD59b3cd85656b476874b8696ffc1cf5a71
SHA12b114161a6fca625b8e184c1ac372106b0488ed8
SHA25645925dd65cfaa4936aba19e040c0a4da50c2579b751e4d13ccb62f99ab456c8d
SHA512ffbf519974496bc591605bed2702b82e5a96765c7955cc9e1e00734ba69b631edb06a87f466f3e826a3206f54784833df3a994180f491b5ce096ed1748000461
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c8fbe872-f64b-4b62-b16a-4b748543a41c
Filesize745B
MD58799e37a0eab546e383c197d035c99cb
SHA1c6a3a7d595d9544d8d9d5508d11cc1b8fe0215b6
SHA256ec9931ab159771e5a915ceb1ecdf33f637cee3d73db6c24a47f1f99f21cbf39a
SHA5126022075a9614df3cafdedf73c237cd53fe131f9e5a2c0ad24cce905dc0ed71ec535c1ca27c51c74c3355694be763e2aa7e8ab19811c972ee28612f5f8498cebb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\d5cf5003-91c6-43a0-b04b-5a39c2959468
Filesize12KB
MD549919acb3ccf6ee504a4666a59407531
SHA1c9819f43aeddbb9e6430f4cde6637cef0f93814f
SHA256e510fb9c2f48f3db53e276c347f091850aa5976ff997963808b9191279fa070d
SHA512a2792ae1ccf7b87f20389e1b05d8d52601c271f49d6bd7511910fd456b47b436aaa2c7df7e9e82136bc62494733afe0539f48422b9a3c7542aeb6a8a7dad095e
-
Filesize
6KB
MD55ecc2075f89d1af9a048f685ed4aaf74
SHA1c26150e3155740b1edfcbde3c8997d026e5fcba1
SHA25698eb9bc3d28e1ad776c322db160963466bb286498a8154b850c4fe0b38459d99
SHA512842ead01a62d362639ed8a11b847c4ea4192de7b0d7f7a7c2d7b2ea4bad38b4381a917872e07a026740f1f640f2ac1158bf358a124ccd798aa894b05dbfa6f88
-
Filesize
6KB
MD56146b3a78dc721c28394a15192b45d0c
SHA19094776e157f4c76ad3bc9462bf2339bbbeaa71d
SHA256439d74f1803053d9ac12fa08d6761e354128a01235b08e7efc224cb638708c2f
SHA51257af617eeb84e9f30b9233a21895bf54fc75902958acc208752dc6a261200660a33641d8627e58f3df8600e2d87b8a7d244b24f0b1d01364b4eb559957bbf050
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD56e34dea690012baa0636b34421fd611d
SHA13bf8b0601062391fa176aefd26f29827d94279a2
SHA2562ca2058fd45af2612d16faa8c371f9a2cdb4fcfed2bc6bb5ec5868d3dec71128
SHA512a849ec4e60d8f4aae4988774e297e472b34fde4f5636aa29e13f3fabbc83e12174c3ec2c0270a901f88ccc52d494e32f32d8326bbf7c8a83be1265dde60dabe9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD57c8c90b23e7d396c0921eede543cce71
SHA11bb5e384327a881d10edb7d6d116e41d0e27ad29
SHA25639e3d7474e976f0059f925da7488db96c4d031e8985f83c447f6a4d7f0ca3268
SHA5129e6feedb5f40ae2e2abc025c70cd8598cca0927442eaa925236970912254366fcae310bfed097ec2893e48ca1254b28c5e0c65aa51ab415dbbc4a015ad1008d1
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
261KB
MD5c7e5520ed203ab5a47cc230aa82a7f8f
SHA14356eba3d63cfa115c4f1f7fbc19a837f4c92ecf
SHA25623a4da975f497b8f541d56f301f3246cbc5fb680a0fb8a7bc0b34b5276512dbf
SHA51225177a40d796f8dad6426f225da4899bbf2a6f40e5ec6740fe24be99f1e3fa9bab5030153d1b39935e2d51e0de724b6bd5d4a72fcb198de19c37df441efbab0f
-
Filesize
1.3MB
MD56f87aba66431f8b0b6a0afa1532983ff
SHA1296dc56397d800088da66de9a5653358d4bb27f7
SHA25682ed47127c67be3836eccc1cc6ce9de16fd2e60e745b1746dd86413ae150e41f
SHA5120d0f1df7a43872763d81f2bc915716d37d387b4b2a3ebc44a7edf0000398de243ef09d925e00b07a7d57604ba16d34889357243f04c4fc861302a0e1c0e0801b
-
Filesize
5.7MB
MD5907f6d2ccb9de1f311b4f0ae58f1abf5
SHA115a255db8fe3ce554bbdd5c9f48a05dc6c6c33a9
SHA256fb69f1e12ba410a1c399441c4a41a80fa2df3658fe64283c5a90afc51f9f600e
SHA512768302a651af8b71add90ac24ec4b6b25f07b9835b30c08c81c548c88f304aa2795d47012328900dc102347d1c7d87f6128c8ab339674dbaf043e4cf8cb09c83