Analysis Overview
SHA256
14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8
Threat Level: Known bad
The file 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe was found to be: Known bad.
Malicious Activity Summary
Floxif family
Floxif, Floodfix
Detects Floxif payload
Loads dropped DLL
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
A potential corporate email address has been identified in the URL: [email protected]
Adds Run key to start application
Enumerates connected drives
Installs/modifies Browser Helper Object
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:52
Reported
2024-11-13 19:54
Platform
win7-20240903-en
Max time kernel
118s
Max time network
93s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
A potential corporate email address has been identified in the URL: [email protected]
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.0.650493998\1338513965" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97ab5ab-cdc3-4717-a1f8-edcceafcde11} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1288 127f3e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.1.2058340583\1441439140" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae40625-26d3-4d15-8ce4-9816fcedaf36} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1504 f6fe58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.2.1098539955\584139531" -childID 1 -isForBrowser -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db524ad8-d181-49f1-aaf6-92fd11028910} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2176 1adad758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.3.1501579381\652999859" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00799068-0114-4da1-986c-cbf16b4bf6aa} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2824 1df84a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.4.828641871\1565578770" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3712 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e93ea8-bc2e-47cb-8067-23f790ace86d} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3724 1f74c258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.5.246731019\1536465589" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cac9240d-6ed2-46a8-a978-b2574b77fa1a} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3820 1f74fb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.6.72649514\701880406" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3840 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f51bffc2-1c0a-4d47-947c-f5ebfe48c7d6} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3884 1f74f558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.7.14676614\1244772850" -childID 6 -isForBrowser -prefsHandle 1708 -prefMapHandle 2736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9c571c0-81f5-4225-a262-cc262570a32e} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2084 22636158 tab
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| N/A | 127.0.0.1:49209 | tcp | |
| N/A | 127.0.0.1:49216 | tcp | |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 151.101.129.91:443 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | test.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | secure.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | mirror3.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror5.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | registeridm.com | udp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 45.33.2.79:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 169.61.27.133:443 | registeridm.com | tcp |
Files
memory/2248-3-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
\Users\Admin\AppData\Local\Temp\A1D26E2\E0BE8348C8.tmp
| MD5 | 907f6d2ccb9de1f311b4f0ae58f1abf5 |
| SHA1 | 15a255db8fe3ce554bbdd5c9f48a05dc6c6c33a9 |
| SHA256 | fb69f1e12ba410a1c399441c4a41a80fa2df3658fe64283c5a90afc51f9f600e |
| SHA512 | 768302a651af8b71add90ac24ec4b6b25f07b9835b30c08c81c548c88f304aa2795d47012328900dc102347d1c7d87f6128c8ab339674dbaf043e4cf8cb09c83 |
memory/2248-15-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2248-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2248-13-0x0000000000A60000-0x000000000102A000-memory.dmp
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp
| MD5 | c7e5520ed203ab5a47cc230aa82a7f8f |
| SHA1 | 4356eba3d63cfa115c4f1f7fbc19a837f4c92ecf |
| SHA256 | 23a4da975f497b8f541d56f301f3246cbc5fb680a0fb8a7bc0b34b5276512dbf |
| SHA512 | 25177a40d796f8dad6426f225da4899bbf2a6f40e5ec6740fe24be99f1e3fa9bab5030153d1b39935e2d51e0de724b6bd5d4a72fcb198de19c37df441efbab0f |
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp
| MD5 | 6f87aba66431f8b0b6a0afa1532983ff |
| SHA1 | 296dc56397d800088da66de9a5653358d4bb27f7 |
| SHA256 | 82ed47127c67be3836eccc1cc6ce9de16fd2e60e745b1746dd86413ae150e41f |
| SHA512 | 0d0f1df7a43872763d81f2bc915716d37d387b4b2a3ebc44a7edf0000398de243ef09d925e00b07a7d57604ba16d34889357243f04c4fc861302a0e1c0e0801b |
memory/2248-27-0x0000000000A60000-0x000000000102A000-memory.dmp
memory/2248-28-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 9b3cd85656b476874b8696ffc1cf5a71 |
| SHA1 | 2b114161a6fca625b8e184c1ac372106b0488ed8 |
| SHA256 | 45925dd65cfaa4936aba19e040c0a4da50c2579b751e4d13ccb62f99ab456c8d |
| SHA512 | ffbf519974496bc591605bed2702b82e5a96765c7955cc9e1e00734ba69b631edb06a87f466f3e826a3206f54784833df3a994180f491b5ce096ed1748000461 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\d5cf5003-91c6-43a0-b04b-5a39c2959468
| MD5 | 49919acb3ccf6ee504a4666a59407531 |
| SHA1 | c9819f43aeddbb9e6430f4cde6637cef0f93814f |
| SHA256 | e510fb9c2f48f3db53e276c347f091850aa5976ff997963808b9191279fa070d |
| SHA512 | a2792ae1ccf7b87f20389e1b05d8d52601c271f49d6bd7511910fd456b47b436aaa2c7df7e9e82136bc62494733afe0539f48422b9a3c7542aeb6a8a7dad095e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c8fbe872-f64b-4b62-b16a-4b748543a41c
| MD5 | 8799e37a0eab546e383c197d035c99cb |
| SHA1 | c6a3a7d595d9544d8d9d5508d11cc1b8fe0215b6 |
| SHA256 | ec9931ab159771e5a915ceb1ecdf33f637cee3d73db6c24a47f1f99f21cbf39a |
| SHA512 | 6022075a9614df3cafdedf73c237cd53fe131f9e5a2c0ad24cce905dc0ed71ec535c1ca27c51c74c3355694be763e2aa7e8ab19811c972ee28612f5f8498cebb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 2bae4b1b5ae9107e640b7a9c7e91a8a9 |
| SHA1 | 481790ea18a5975aacbeea7710da4a40d10a6a7c |
| SHA256 | 06d489a3f7e4a40fcc33bc35954f4a3b96ac822aa42d8a47e186894084e0da02 |
| SHA512 | e40bd3f94268c484e39b9bcf96d6623d8528f74e430486c8e1696942a922cdd264b93980e2d5b8b1e6cde84300c58444b55d686a7ff53aa12ef1d8b7e0dd4c2b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | f99b4984bd93547ff4ab09d35b9ed6d5 |
| SHA1 | 73bf4d313cb094bb6ead04460da9547106794007 |
| SHA256 | 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069 |
| SHA512 | cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759 |
memory/2248-212-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
| MD5 | 5ecc2075f89d1af9a048f685ed4aaf74 |
| SHA1 | c26150e3155740b1edfcbde3c8997d026e5fcba1 |
| SHA256 | 98eb9bc3d28e1ad776c322db160963466bb286498a8154b850c4fe0b38459d99 |
| SHA512 | 842ead01a62d362639ed8a11b847c4ea4192de7b0d7f7a7c2d7b2ea4bad38b4381a917872e07a026740f1f640f2ac1158bf358a124ccd798aa894b05dbfa6f88 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6e34dea690012baa0636b34421fd611d |
| SHA1 | 3bf8b0601062391fa176aefd26f29827d94279a2 |
| SHA256 | 2ca2058fd45af2612d16faa8c371f9a2cdb4fcfed2bc6bb5ec5868d3dec71128 |
| SHA512 | a849ec4e60d8f4aae4988774e297e472b34fde4f5636aa29e13f3fabbc83e12174c3ec2c0270a901f88ccc52d494e32f32d8326bbf7c8a83be1265dde60dabe9 |
memory/2248-252-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2248-251-0x0000000000A60000-0x000000000102A000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2248-263-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
| MD5 | 6146b3a78dc721c28394a15192b45d0c |
| SHA1 | 9094776e157f4c76ad3bc9462bf2339bbbeaa71d |
| SHA256 | 439d74f1803053d9ac12fa08d6761e354128a01235b08e7efc224cb638708c2f |
| SHA512 | 57af617eeb84e9f30b9233a21895bf54fc75902958acc208752dc6a261200660a33641d8627e58f3df8600e2d87b8a7d244b24f0b1d01364b4eb559957bbf050 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 7c8c90b23e7d396c0921eede543cce71 |
| SHA1 | 1bb5e384327a881d10edb7d6d116e41d0e27ad29 |
| SHA256 | 39e3d7474e976f0059f925da7488db96c4d031e8985f83c447f6a4d7f0ca3268 |
| SHA512 | 9e6feedb5f40ae2e2abc025c70cd8598cca0927442eaa925236970912254366fcae310bfed097ec2893e48ca1254b28c5e0c65aa51ab415dbbc4a015ad1008d1 |
memory/2248-284-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2248-297-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2248-330-0x0000000000A60000-0x000000000102A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:52
Reported
2024-11-13 19:54
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
118s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
A potential corporate email address has been identified in the URL: [email protected]
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6726b71b-9846-4b6b-9d6c-a592bc1af34b} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {258a2b52-e3e2-4c72-8e1f-7e777f0f6341} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2864 -prefMapHandle 3156 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e30cb8ca-f709-4869-8b95-30cd79e06c04} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4060 -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7b879a5-ce3c-42dd-ade6-1da2e73830e5} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4780 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec49ddb2-e2ad-441a-a753-896d8c4b5d4c} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7043e71f-96ae-4e42-9c42-f84ea3b02fbe} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f00ffa3-9931-4634-a5e9-8e609a0e82b7} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f19d5e2f-13b7-4f45-bfc9-2170164ee4a0} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 6 -isForBrowser -prefsHandle 5984 -prefMapHandle 3476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc39d14-894b-4950-a882-98957d7496e0} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" tab
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.18.33.45.in-addr.arpa | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 169.61.27.133:443 | www.internetdownloadmanager.com | tcp |
| N/A | 127.0.0.1:62545 | tcp | |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.97.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.27.61.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 151.101.65.91:443 | addons.mozilla.org | tcp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | addons.mozilla.org | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | 115.230.163.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| N/A | 127.0.0.1:62553 | tcp | |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 232.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | test.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | secure.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror3.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | mirror5.internetdownloadmanager.com | udp |
| US | 8.8.8.8:53 | registeridm.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 73.121.18.2.in-addr.arpa | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | tcp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| GB | 172.217.169.78:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | 169.175.125.74.in-addr.arpa | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 169.61.27.133:443 | registeridm.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1552-3-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/1552-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1552-12-0x00000000000D0000-0x000000000069A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
| MD5 | 734483578d82d0346d38ccca5974ee68 |
| SHA1 | 79be73dee4cd6460cd2fa6ad1183749792ce8087 |
| SHA256 | 91e05774c78cee1b98e533834f01def307db7c4e47f35680771e0f8025a397c7 |
| SHA512 | 83339508fc62c65c5510a0dcdc4dfc0aef1742fbc120b8744fbb6b3a507f71e18a3c16b18072f13d03a5ee33f3ff2aae0c6c572ce89456bcd4ee346419239b24 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\9da6f5ab-b4c7-4ebe-b8d5-bc4f71b77d7b
| MD5 | becfbde257649c1a3378e40b6f28f79f |
| SHA1 | 6f0a9f487c96251f3bf9b114c6818982af02bd70 |
| SHA256 | 9688eaaa3cbd48f3a75a8753dc07de079bacb162ad2cdda8e679db9a2301a467 |
| SHA512 | 90823bc2e5684248640190422e5ab8f0861dbfb0b5067ae706bdcf5c455972b45c77eb79e50885c4a13d775aeb6e6e4df717097781d87f7b66d37cd853fd60f9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\e87a9fe9-3a8e-49c3-9a38-81109d9f7a51
| MD5 | c38b4bcb64e9503af5cb83a55022547b |
| SHA1 | 3b00d9b65ce345b679cea8f4e7d833aca75bd276 |
| SHA256 | 243e9d425b58af63ca743afd1a3ae70df68d250777789dd251226d996eb5c7fe |
| SHA512 | a287b64158a4490843ca96866dcefe186b3317acd4189f281c130df39ba6373757f6ffe3fa0424b2330d234c78836fa341a34575cbcbbb32e67c9f0f46a3771f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\20f843bf-7691-4a37-bd7d-8f168ba7410b
| MD5 | 84809846d368d60af27ffbb54050c359 |
| SHA1 | 04395671d07bebac5130b88a11a7d36d26d094e6 |
| SHA256 | 695619d2e0b5f97db446451f83c8cf6e0cc2b01735a44f2087f7bb270de7f041 |
| SHA512 | ac3151eea65ab507b8f344721f1487d12e0bf29877cea45ef9193deb200ceed2630770e32a765dda39f3f2af9f131c86988eac837498293fc821e2fa71c0c9d8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 4d57e486029a227857b51ff5e28632f9 |
| SHA1 | a43eb6dd85716205b049c4a7cd782357a60897b8 |
| SHA256 | 1b26bb3412b6d4acc35ac2bd86a250d4be954c7c4a6784e15152b971a376c70e |
| SHA512 | 27566430fef4b2565b4cb43e39708db25fede39f33ea9ebaa12211ff985c5a6cde3a03ede7dbf0fae62602b1b5fc45cc98811baa24ee2cb4ba0b547b39263763 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
| MD5 | b5bd59990ef0d0023e8805fea427189b |
| SHA1 | fd8195d888b3eea5cfc7be8e14b0a3efa5d521fe |
| SHA256 | efc6220eac0c32525affc558169557d37cc0e62490b709821bb3f3e32f222c32 |
| SHA512 | 9f53212960034ee201ce448cc5e79380369ea41ca2b7f4e46629ffe486e92ccf1b450ad5b8f0dc16b7a1c4c74fae621343c1b7979daaafa8af85b59c3905bff4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
| MD5 | 5e5e136e87ec44fc570b612c5732f3d0 |
| SHA1 | 766d61d2ee051a1e79bc0f71faee0486cdbb3962 |
| SHA256 | 4de2ac1a092299bb915f2e9939384741fd411452dd0338581a0e6bfd1f6e81fe |
| SHA512 | 03af4dd4d8d78244363733a323f6092cb404364a589d762bf0e048e0a0ef14951ea3d25d0147ba419a366f2ac48602333fdfac676b2e7f664781002761c4c966 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
| MD5 | ff3073bf49d26fd1ffba8c20ba976a66 |
| SHA1 | dc8e8afcd4e89281e1839f4bcc3548c483ed6f6a |
| SHA256 | 41d528223383af7c6e8c54588e22a9c7e38b6144b2cacf5cdcac1dac6362c8d1 |
| SHA512 | 4dbc7a96927495650a51441d86a4e9936cfc4876bf643301fa4a0be915e29ad9ecab8190a41b224b2d6c5bc47740c1bbf6efb19d61c3c6955b15488145d36fea |
memory/1552-394-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/1552-418-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1552-417-0x00000000000D0000-0x000000000069A000-memory.dmp
memory/1552-426-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | a15926af762573652cf11b1e01bce971 |
| SHA1 | 24f4670064429e1e02a9cbcc2a21c667e2f300d0 |
| SHA256 | e782fbf69a13ac61fa08968f1d18f1b837f281df33833d3a5f5acc087db0563e |
| SHA512 | 6de18fbe517331661f9a4cd94fe48542b7fe134cc0953e43a3b554d097f8381eed142a712d14c3006aa617892935e59d6ca05ccc21c616f065a0d32b7b72749d |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 4b6659656b2aaa0a37704d69cefaf6dd |
| SHA1 | 19fcba65f9394f31f2207c619f306049fef8eb98 |
| SHA256 | 457ea6a8597e9d6c7db8c13c52f96a2ea6a5b296c4ca05285f5f483551c0b8f3 |
| SHA512 | 5e5c9b338e7ca6ee7672940db7c2ddebb91a28d051a069ed1ca6b04a96a5f617fdd32750b934764ddf429f016abd8cbc995217d2e278c6173940a33a42962e33 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
| MD5 | 9a118112e924dd474dde8a2c57200f75 |
| SHA1 | 44177cc142a59ca7aeb95509ee365d2f4cfa805b |
| SHA256 | bd14ed2720ed1ded4180cb18765f4d56b9daa52a1ab9a5c2668a0c8668152c3a |
| SHA512 | 1103e054c968efb631cf476af1f16977d864f1bc7c1e712a1e5ba9a5e44a2537091f26ade3f1b1a483c3031770fb588e25014f61944ab63891807bf1db91be2d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4
| MD5 | ec9501f36ef7fb2e677038b7163a4d39 |
| SHA1 | ad0f9ccdfc0e19a66a1c41544bcca5e247cbe7fc |
| SHA256 | 31f31b085cbbde46df59c6b35e31a714e4c932ecf9428908d09dd3e96a1d7cef |
| SHA512 | b9df4d241bd250ad5a9b4d35930d7808e4fc3b30d927f442f74707c4555d3bbcfed5fae5a17939d6c0c20194e71095357e92608c60ebdcf8bef1c0c8e3105bf3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
| MD5 | 3d676bab96ed8b3d5f36e67b7850420c |
| SHA1 | 0afff06af8c9e1e8ed5117912d4b57b6401015b0 |
| SHA256 | cfe9d0ebc434f03a3f6a0f3abcff08f3a3fe6b11815d65a9a6d6ca7bea27d46e |
| SHA512 | 69c968a08837df318cf665a7ea57f9c9e7f45f2095142e1d547117087171a2a157c29924a1ca3f6dd7f2beff26ae1cd50513cf202a6f50c4e6b2531e0cefaa43 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
| MD5 | cb33b07bcbcf0bee8d215199d787a51c |
| SHA1 | 3539ebbb9cd94daf8fa5d8c792630ad64fb70493 |
| SHA256 | 15d4624d12fe447ec23a5f1a153a17302c427b162ca127d90c16ca5922261c63 |
| SHA512 | 18500133b1fa741ac08abf7e04cb9f126193e78221f57f50b3ed8637c0b60a45631b1e5a26664dcef7ea283da3d941f6b7d28061b225526e3068034370daf628 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | f94a00797a659fce13674cfaacc14461 |
| SHA1 | 97250c9d5315d2c7f6c41234f74a9299b03fa11c |
| SHA256 | 91f17b9982e451f8f9a211d0c5da2de2ba2b99d2743e319bb1c94ecebb858b7d |
| SHA512 | 6b6c502b99754906beeaa861930ee7d71493437c2f95c62c2a6257717cea6ec2f103b59be7a25de9ae2c51f6560fb820b3786a3353d8d30c641096103ba9dc52 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
| MD5 | 36e5ee071a6f2f03c5d3889de80b0f0d |
| SHA1 | cf6e8ddb87660ef1ef84ae36f97548a2351ac604 |
| SHA256 | 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683 |
| SHA512 | 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
| MD5 | f59a9f073d55bf0e8195f3cc10e21e50 |
| SHA1 | b9ff22b78a90e337892cd0c83ee59690fd123276 |
| SHA256 | 5b9f68b87033abd999de0abdb8c0ebabf87a00c61e96c55a729c932efcff7407 |
| SHA512 | 525912894d3db5ecd307576e9d6c34992276f4fa346e343e3b0609f80a4e77b18b9e20fc15fe8195a45c39d9f931b66dc52a1aaa7038e860deb2651573e72f1d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | e98e384f12758a652a4b4f02b7e41e62 |
| SHA1 | 0cf4f6d3f654e7bc08ffe3be1af0799494a4c07f |
| SHA256 | c8342d1a6c233323cba3026a974426fedc32fb31375a77516cd145a130aad0fb |
| SHA512 | 275f005dc1b3e647aeebfd5422ead1b829406403e05cbe71135202b9a7ea9435af4ad6cd31aec2b6cc4d171c2e38bface6d855e803b36ffc45d9c7de165f9b2d |
memory/1552-3178-0x00000000000D0000-0x000000000069A000-memory.dmp
memory/1552-3181-0x0000000010000000-0x0000000010030000-memory.dmp