Malware Analysis Report

2024-12-07 03:03

Sample ID 241113-yln5ks1qcn
Target 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
SHA256 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8
Tags
floxif adware backdoor discovery persistence phishing spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8

Threat Level: Known bad

The file 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe was found to be: Known bad.

Malicious Activity Summary

floxif adware backdoor discovery persistence phishing spyware stealer trojan upx

Floxif family

Floxif, Floodfix

Detects Floxif payload

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

A potential corporate email address has been identified in the URL: [email protected]

Adds Run key to start application

Enumerates connected drives

Installs/modifies Browser Helper Object

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:52

Reported

2024-11-13 19:54

Platform

win7-20240903-en

Max time kernel

118s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created \??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2248 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 2800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2800 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.0.650493998\1338513965" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97ab5ab-cdc3-4717-a1f8-edcceafcde11} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1288 127f3e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.1.2058340583\1441439140" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae40625-26d3-4d15-8ce4-9816fcedaf36} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1504 f6fe58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.2.1098539955\584139531" -childID 1 -isForBrowser -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db524ad8-d181-49f1-aaf6-92fd11028910} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2176 1adad758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.3.1501579381\652999859" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00799068-0114-4da1-986c-cbf16b4bf6aa} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2824 1df84a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.4.828641871\1565578770" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3712 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e93ea8-bc2e-47cb-8067-23f790ace86d} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3724 1f74c258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.5.246731019\1536465589" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cac9240d-6ed2-46a8-a978-b2574b77fa1a} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3820 1f74fb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.6.72649514\701880406" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3840 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f51bffc2-1c0a-4d47-947c-f5ebfe48c7d6} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3884 1f74f558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.7.14676614\1244772850" -childID 6 -isForBrowser -prefsHandle 1708 -prefMapHandle 2736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9c571c0-81f5-4225-a262-cc262570a32e} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2084 22636158 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
N/A 127.0.0.1:49209 tcp
N/A 127.0.0.1:49216 tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 151.101.129.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 45.33.2.79:80 www.aieov.com tcp
US 45.33.2.79:80 www.aieov.com tcp
US 45.33.2.79:80 www.aieov.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 169.61.27.133:443 registeridm.com tcp

Files

memory/2248-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

\Users\Admin\AppData\Local\Temp\A1D26E2\E0BE8348C8.tmp

MD5 907f6d2ccb9de1f311b4f0ae58f1abf5
SHA1 15a255db8fe3ce554bbdd5c9f48a05dc6c6c33a9
SHA256 fb69f1e12ba410a1c399441c4a41a80fa2df3658fe64283c5a90afc51f9f600e
SHA512 768302a651af8b71add90ac24ec4b6b25f07b9835b30c08c81c548c88f304aa2795d47012328900dc102347d1c7d87f6128c8ab339674dbaf043e4cf8cb09c83

memory/2248-15-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2248-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2248-13-0x0000000000A60000-0x000000000102A000-memory.dmp

\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

MD5 c7e5520ed203ab5a47cc230aa82a7f8f
SHA1 4356eba3d63cfa115c4f1f7fbc19a837f4c92ecf
SHA256 23a4da975f497b8f541d56f301f3246cbc5fb680a0fb8a7bc0b34b5276512dbf
SHA512 25177a40d796f8dad6426f225da4899bbf2a6f40e5ec6740fe24be99f1e3fa9bab5030153d1b39935e2d51e0de724b6bd5d4a72fcb198de19c37df441efbab0f

\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

MD5 6f87aba66431f8b0b6a0afa1532983ff
SHA1 296dc56397d800088da66de9a5653358d4bb27f7
SHA256 82ed47127c67be3836eccc1cc6ce9de16fd2e60e745b1746dd86413ae150e41f
SHA512 0d0f1df7a43872763d81f2bc915716d37d387b4b2a3ebc44a7edf0000398de243ef09d925e00b07a7d57604ba16d34889357243f04c4fc861302a0e1c0e0801b

memory/2248-27-0x0000000000A60000-0x000000000102A000-memory.dmp

memory/2248-28-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

MD5 9b3cd85656b476874b8696ffc1cf5a71
SHA1 2b114161a6fca625b8e184c1ac372106b0488ed8
SHA256 45925dd65cfaa4936aba19e040c0a4da50c2579b751e4d13ccb62f99ab456c8d
SHA512 ffbf519974496bc591605bed2702b82e5a96765c7955cc9e1e00734ba69b631edb06a87f466f3e826a3206f54784833df3a994180f491b5ce096ed1748000461

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\d5cf5003-91c6-43a0-b04b-5a39c2959468

MD5 49919acb3ccf6ee504a4666a59407531
SHA1 c9819f43aeddbb9e6430f4cde6637cef0f93814f
SHA256 e510fb9c2f48f3db53e276c347f091850aa5976ff997963808b9191279fa070d
SHA512 a2792ae1ccf7b87f20389e1b05d8d52601c271f49d6bd7511910fd456b47b436aaa2c7df7e9e82136bc62494733afe0539f48422b9a3c7542aeb6a8a7dad095e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c8fbe872-f64b-4b62-b16a-4b748543a41c

MD5 8799e37a0eab546e383c197d035c99cb
SHA1 c6a3a7d595d9544d8d9d5508d11cc1b8fe0215b6
SHA256 ec9931ab159771e5a915ceb1ecdf33f637cee3d73db6c24a47f1f99f21cbf39a
SHA512 6022075a9614df3cafdedf73c237cd53fe131f9e5a2c0ad24cce905dc0ed71ec535c1ca27c51c74c3355694be763e2aa7e8ab19811c972ee28612f5f8498cebb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

MD5 2bae4b1b5ae9107e640b7a9c7e91a8a9
SHA1 481790ea18a5975aacbeea7710da4a40d10a6a7c
SHA256 06d489a3f7e4a40fcc33bc35954f4a3b96ac822aa42d8a47e186894084e0da02
SHA512 e40bd3f94268c484e39b9bcf96d6623d8528f74e430486c8e1696942a922cdd264b93980e2d5b8b1e6cde84300c58444b55d686a7ff53aa12ef1d8b7e0dd4c2b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 f99b4984bd93547ff4ab09d35b9ed6d5
SHA1 73bf4d313cb094bb6ead04460da9547106794007
SHA256 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512 cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

memory/2248-212-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

MD5 5ecc2075f89d1af9a048f685ed4aaf74
SHA1 c26150e3155740b1edfcbde3c8997d026e5fcba1
SHA256 98eb9bc3d28e1ad776c322db160963466bb286498a8154b850c4fe0b38459d99
SHA512 842ead01a62d362639ed8a11b847c4ea4192de7b0d7f7a7c2d7b2ea4bad38b4381a917872e07a026740f1f640f2ac1158bf358a124ccd798aa894b05dbfa6f88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6e34dea690012baa0636b34421fd611d
SHA1 3bf8b0601062391fa176aefd26f29827d94279a2
SHA256 2ca2058fd45af2612d16faa8c371f9a2cdb4fcfed2bc6bb5ec5868d3dec71128
SHA512 a849ec4e60d8f4aae4988774e297e472b34fde4f5636aa29e13f3fabbc83e12174c3ec2c0270a901f88ccc52d494e32f32d8326bbf7c8a83be1265dde60dabe9

memory/2248-252-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2248-251-0x0000000000A60000-0x000000000102A000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2248-263-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

MD5 6146b3a78dc721c28394a15192b45d0c
SHA1 9094776e157f4c76ad3bc9462bf2339bbbeaa71d
SHA256 439d74f1803053d9ac12fa08d6761e354128a01235b08e7efc224cb638708c2f
SHA512 57af617eeb84e9f30b9233a21895bf54fc75902958acc208752dc6a261200660a33641d8627e58f3df8600e2d87b8a7d244b24f0b1d01364b4eb559957bbf050

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7c8c90b23e7d396c0921eede543cce71
SHA1 1bb5e384327a881d10edb7d6d116e41d0e27ad29
SHA256 39e3d7474e976f0059f925da7488db96c4d031e8985f83c447f6a4d7f0ca3268
SHA512 9e6feedb5f40ae2e2abc025c70cd8598cca0927442eaa925236970912254366fcae310bfed097ec2893e48ca1254b28c5e0c65aa51ab415dbbc4a015ad1008d1

memory/2248-284-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2248-297-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2248-330-0x0000000000A60000-0x000000000102A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 19:52

Reported

2024-11-13 19:54

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1552 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1552 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1552 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1552 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4568 wrote to memory of 2176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 456 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6726b71b-9846-4b6b-9d6c-a592bc1af34b} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {258a2b52-e3e2-4c72-8e1f-7e777f0f6341} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 3156 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e30cb8ca-f709-4869-8b95-30cd79e06c04} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4060 -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7b879a5-ce3c-42dd-ade6-1da2e73830e5} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4780 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec49ddb2-e2ad-441a-a753-896d8c4b5d4c} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7043e71f-96ae-4e42-9c42-f84ea3b02fbe} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f00ffa3-9931-4634-a5e9-8e609a0e82b7} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f19d5e2f-13b7-4f45-bfc9-2170164ee4a0} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 6 -isForBrowser -prefsHandle 5984 -prefMapHandle 3476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc39d14-894b-4950-a882-98957d7496e0} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 44.18.33.45.in-addr.arpa udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
N/A 127.0.0.1:62545 tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.65.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 115.230.163.35.in-addr.arpa udp
US 8.8.8.8:53 91.65.101.151.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 45.33.18.44:80 www.aieov.com tcp
N/A 127.0.0.1:62553 tcp
US 8.8.8.8:53 5isohu.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 45.33.18.44:80 www.aieov.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
GB 172.217.169.78:443 redirector.gvt1.com tcp
GB 172.217.169.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
GB 172.217.169.78:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 169.61.27.133:443 registeridm.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1552-3-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1552-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1552-12-0x00000000000D0000-0x000000000069A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

MD5 734483578d82d0346d38ccca5974ee68
SHA1 79be73dee4cd6460cd2fa6ad1183749792ce8087
SHA256 91e05774c78cee1b98e533834f01def307db7c4e47f35680771e0f8025a397c7
SHA512 83339508fc62c65c5510a0dcdc4dfc0aef1742fbc120b8744fbb6b3a507f71e18a3c16b18072f13d03a5ee33f3ff2aae0c6c572ce89456bcd4ee346419239b24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\9da6f5ab-b4c7-4ebe-b8d5-bc4f71b77d7b

MD5 becfbde257649c1a3378e40b6f28f79f
SHA1 6f0a9f487c96251f3bf9b114c6818982af02bd70
SHA256 9688eaaa3cbd48f3a75a8753dc07de079bacb162ad2cdda8e679db9a2301a467
SHA512 90823bc2e5684248640190422e5ab8f0861dbfb0b5067ae706bdcf5c455972b45c77eb79e50885c4a13d775aeb6e6e4df717097781d87f7b66d37cd853fd60f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\e87a9fe9-3a8e-49c3-9a38-81109d9f7a51

MD5 c38b4bcb64e9503af5cb83a55022547b
SHA1 3b00d9b65ce345b679cea8f4e7d833aca75bd276
SHA256 243e9d425b58af63ca743afd1a3ae70df68d250777789dd251226d996eb5c7fe
SHA512 a287b64158a4490843ca96866dcefe186b3317acd4189f281c130df39ba6373757f6ffe3fa0424b2330d234c78836fa341a34575cbcbbb32e67c9f0f46a3771f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\20f843bf-7691-4a37-bd7d-8f168ba7410b

MD5 84809846d368d60af27ffbb54050c359
SHA1 04395671d07bebac5130b88a11a7d36d26d094e6
SHA256 695619d2e0b5f97db446451f83c8cf6e0cc2b01735a44f2087f7bb270de7f041
SHA512 ac3151eea65ab507b8f344721f1487d12e0bf29877cea45ef9193deb200ceed2630770e32a765dda39f3f2af9f131c86988eac837498293fc821e2fa71c0c9d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 4d57e486029a227857b51ff5e28632f9
SHA1 a43eb6dd85716205b049c4a7cd782357a60897b8
SHA256 1b26bb3412b6d4acc35ac2bd86a250d4be954c7c4a6784e15152b971a376c70e
SHA512 27566430fef4b2565b4cb43e39708db25fede39f33ea9ebaa12211ff985c5a6cde3a03ede7dbf0fae62602b1b5fc45cc98811baa24ee2cb4ba0b547b39263763

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

MD5 b5bd59990ef0d0023e8805fea427189b
SHA1 fd8195d888b3eea5cfc7be8e14b0a3efa5d521fe
SHA256 efc6220eac0c32525affc558169557d37cc0e62490b709821bb3f3e32f222c32
SHA512 9f53212960034ee201ce448cc5e79380369ea41ca2b7f4e46629ffe486e92ccf1b450ad5b8f0dc16b7a1c4c74fae621343c1b7979daaafa8af85b59c3905bff4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

MD5 5e5e136e87ec44fc570b612c5732f3d0
SHA1 766d61d2ee051a1e79bc0f71faee0486cdbb3962
SHA256 4de2ac1a092299bb915f2e9939384741fd411452dd0338581a0e6bfd1f6e81fe
SHA512 03af4dd4d8d78244363733a323f6092cb404364a589d762bf0e048e0a0ef14951ea3d25d0147ba419a366f2ac48602333fdfac676b2e7f664781002761c4c966

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

MD5 ff3073bf49d26fd1ffba8c20ba976a66
SHA1 dc8e8afcd4e89281e1839f4bcc3548c483ed6f6a
SHA256 41d528223383af7c6e8c54588e22a9c7e38b6144b2cacf5cdcac1dac6362c8d1
SHA512 4dbc7a96927495650a51441d86a4e9936cfc4876bf643301fa4a0be915e29ad9ecab8190a41b224b2d6c5bc47740c1bbf6efb19d61c3c6955b15488145d36fea

memory/1552-394-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/1552-418-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1552-417-0x00000000000D0000-0x000000000069A000-memory.dmp

memory/1552-426-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

MD5 a15926af762573652cf11b1e01bce971
SHA1 24f4670064429e1e02a9cbcc2a21c667e2f300d0
SHA256 e782fbf69a13ac61fa08968f1d18f1b837f281df33833d3a5f5acc087db0563e
SHA512 6de18fbe517331661f9a4cd94fe48542b7fe134cc0953e43a3b554d097f8381eed142a712d14c3006aa617892935e59d6ca05ccc21c616f065a0d32b7b72749d

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4b6659656b2aaa0a37704d69cefaf6dd
SHA1 19fcba65f9394f31f2207c619f306049fef8eb98
SHA256 457ea6a8597e9d6c7db8c13c52f96a2ea6a5b296c4ca05285f5f483551c0b8f3
SHA512 5e5c9b338e7ca6ee7672940db7c2ddebb91a28d051a069ed1ca6b04a96a5f617fdd32750b934764ddf429f016abd8cbc995217d2e278c6173940a33a42962e33

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

MD5 9a118112e924dd474dde8a2c57200f75
SHA1 44177cc142a59ca7aeb95509ee365d2f4cfa805b
SHA256 bd14ed2720ed1ded4180cb18765f4d56b9daa52a1ab9a5c2668a0c8668152c3a
SHA512 1103e054c968efb631cf476af1f16977d864f1bc7c1e712a1e5ba9a5e44a2537091f26ade3f1b1a483c3031770fb588e25014f61944ab63891807bf1db91be2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

MD5 ec9501f36ef7fb2e677038b7163a4d39
SHA1 ad0f9ccdfc0e19a66a1c41544bcca5e247cbe7fc
SHA256 31f31b085cbbde46df59c6b35e31a714e4c932ecf9428908d09dd3e96a1d7cef
SHA512 b9df4d241bd250ad5a9b4d35930d7808e4fc3b30d927f442f74707c4555d3bbcfed5fae5a17939d6c0c20194e71095357e92608c60ebdcf8bef1c0c8e3105bf3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

MD5 3d676bab96ed8b3d5f36e67b7850420c
SHA1 0afff06af8c9e1e8ed5117912d4b57b6401015b0
SHA256 cfe9d0ebc434f03a3f6a0f3abcff08f3a3fe6b11815d65a9a6d6ca7bea27d46e
SHA512 69c968a08837df318cf665a7ea57f9c9e7f45f2095142e1d547117087171a2a157c29924a1ca3f6dd7f2beff26ae1cd50513cf202a6f50c4e6b2531e0cefaa43

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

MD5 cb33b07bcbcf0bee8d215199d787a51c
SHA1 3539ebbb9cd94daf8fa5d8c792630ad64fb70493
SHA256 15d4624d12fe447ec23a5f1a153a17302c427b162ca127d90c16ca5922261c63
SHA512 18500133b1fa741ac08abf7e04cb9f126193e78221f57f50b3ed8637c0b60a45631b1e5a26664dcef7ea283da3d941f6b7d28061b225526e3068034370daf628

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f94a00797a659fce13674cfaacc14461
SHA1 97250c9d5315d2c7f6c41234f74a9299b03fa11c
SHA256 91f17b9982e451f8f9a211d0c5da2de2ba2b99d2743e319bb1c94ecebb858b7d
SHA512 6b6c502b99754906beeaa861930ee7d71493437c2f95c62c2a6257717cea6ec2f103b59be7a25de9ae2c51f6560fb820b3786a3353d8d30c641096103ba9dc52

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

MD5 f59a9f073d55bf0e8195f3cc10e21e50
SHA1 b9ff22b78a90e337892cd0c83ee59690fd123276
SHA256 5b9f68b87033abd999de0abdb8c0ebabf87a00c61e96c55a729c932efcff7407
SHA512 525912894d3db5ecd307576e9d6c34992276f4fa346e343e3b0609f80a4e77b18b9e20fc15fe8195a45c39d9f931b66dc52a1aaa7038e860deb2651573e72f1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e98e384f12758a652a4b4f02b7e41e62
SHA1 0cf4f6d3f654e7bc08ffe3be1af0799494a4c07f
SHA256 c8342d1a6c233323cba3026a974426fedc32fb31375a77516cd145a130aad0fb
SHA512 275f005dc1b3e647aeebfd5422ead1b829406403e05cbe71135202b9a7ea9435af4ad6cd31aec2b6cc4d171c2e38bface6d855e803b36ffc45d9c7de165f9b2d

memory/1552-3178-0x00000000000D0000-0x000000000069A000-memory.dmp

memory/1552-3181-0x0000000010000000-0x0000000010030000-memory.dmp