Malware Analysis Report

2024-12-07 13:03

Sample ID 241113-yrwfvayclg
Target 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
SHA256 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8
Tags
floxif adware backdoor discovery persistence phishing spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8

Threat Level: Known bad

The file 14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe was found to be: Known bad.

Malicious Activity Summary

floxif adware backdoor discovery persistence phishing spyware stealer trojan upx

Floxif, Floodfix

Floxif family

Detects Floxif payload

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Checks computer location settings

A potential corporate email address has been identified in the URL: [email protected]

Reads user/profile data of web browsers

Installs/modifies Browser Helper Object

Enumerates connected drives

Adds Run key to start application

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:01

Reported

2024-11-13 20:04

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1784 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1784 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1784 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1784 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 472 wrote to memory of 1368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 1424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1368 wrote to memory of 4172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9cbcc00-8b6e-4311-941e-e99d5fd612c2} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97830586-eb97-4e3f-9519-b315e1b12a2f} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3368 -childID 1 -isForBrowser -prefsHandle 2740 -prefMapHandle 3404 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b9a9199-5e7a-4081-9eec-a81d50a7c1dd} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4606a67-4422-46f8-9507-09cefe61c6b7} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 4740 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d7d255-8249-4ddc-86b7-c8997e734d6e} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 3824 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff7414c4-a786-4001-b359-8f6a2c1028b5} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c232e05-3483-4eb1-921a-e511b87c60b7} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a06ca19e-86ab-489d-9002-91bb240dc87b} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3464 -childID 6 -isForBrowser -prefsHandle 3472 -prefMapHandle 3500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87bc36fb-0071-4fd1-81bf-04be0a52cf7c} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.185.14.72.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 72.14.185.43:80 www.aieov.com tcp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 127.0.0.1:62419 tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.193.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 8.8.8.8:53 149.234.200.54.in-addr.arpa udp
US 8.8.8.8:53 91.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com udp
N/A 127.0.0.1:62428 tcp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 72.14.185.43:80 www.aieov.com tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 172.217.169.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.78:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 172.217.169.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 169.61.27.133:443 registeridm.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 72.14.185.43:80 www.aieov.com tcp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1784-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1784-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1784-12-0x0000000000630000-0x0000000000BFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\1e6494be-0fd3-486f-98eb-20ca4c7acb83

MD5 c6269891489855e9e934301b579d7111
SHA1 06187fb1659eb58942b8b0d438c024978e41d0fd
SHA256 c7a20daa76265ce79d653cca513bfd228519787cda64b37659cd42f627c74c16
SHA512 3139442c465ad2dfb2be2811646b697986fa2f2048fb4eefcdd5e9cc0877463e38678e1a93e2407f0f14aa3022e6349c67e6a523220920d4a910550607127e13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\27066cc0-934e-4b50-8929-7311f40d484e

MD5 1456a3b81eb88611fffb7e48294ac92a
SHA1 f7fddb5bd827182f5af060a112c807909b9e76a5
SHA256 f302acb928408a4ba908c54fa0b5d03a6e34c59788e459cfd5f031f4668a038c
SHA512 0152fe138ea48c567aa06ad926f3ed3260b768d9d9b6bb47bed0d20f764b1f5d3316ab477cceb3819d9f9753aa6754d979407d06316580a5548d8a1b4133dca6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\78640bbe-d150-46c1-ba98-25b88d2a7981

MD5 5e7e6262f3d83e92ee2cc3b6ff230ba2
SHA1 24aa41d43929832595931ac8c7f69d673c036acb
SHA256 fc9d449ae891f3065584a2f9fdbeb075201f86d020c4e5fc4af84ac589bc3b12
SHA512 77773bfc7c6ec960d485d9fb5937c84309ed5227aa2dbbf9f59bdd80086c9887bffb4a1eadaae251bf67ba6a34ab777fafdabb956ae4fb5376d9e3f53497f3d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

MD5 26e2c67fad5c402d4238a46365862923
SHA1 bbedfb648fded784bf5d0d92257a15a297180bf0
SHA256 a83020616d4a5f782389f6a5b0ab5fbb4c459d53e68b2cdfe67f6928494439d0
SHA512 281f9f67fa4401213e97f28b5b48f00ca81e6fb7f3de8c83867ee647f65b84143bc49ee326f9e919770ab3dc9ddd2140a022e73fa747fef5479e283aff12ae72

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

MD5 e252c99f65ace90588132824080dce2c
SHA1 bcfa8faa46c5fa83af12ad70c0edc50cfa5efc5c
SHA256 b4c88417908e3a2a63fc9944258ef9fa3cc750ef7f78e12cbbee3a1891493ee5
SHA512 d3ce82b4cfa7b291d8d197789d76b485d07ee9b8d29fead0bad818539ceff58feabed210cfd971117305b56c3299f27f56335a2d2cddf8367b97535395194eec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

MD5 377792272798bb062c568c18c989c889
SHA1 1b01d1ef30ea396ef205d429f7ffc26dd7a7ef21
SHA256 fe708a2e61a897b573c1f0a3977b0a7a2572cb5f121f6e6a2eb936f7c7d998fd
SHA512 fb02f03cf8a6c16daeadba603bae3dbaacb0eb298e852a0ee6acedd065c02537221142508f5923f8974ed2d44848ea05600c16f380e59c1009ea62e9c83c9335

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

MD5 64ccb81d7f83a15349ee831976ff3791
SHA1 b46fd9954cef82008f65cf5e13090700bf5150e8
SHA256 838a512eec19b89a259849ba6ddec63955c30f18fa7abbcaa75f27e4482cd416
SHA512 dc2001e6cf98d48daa4ccf979f41ccfac86b194e9a749d2b09fd70ee4fece319cfd3a9f9a48186d338208803df37f7db3cdca7baec5a84576f9d323e5d00592b

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/1784-397-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1784-411-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1784-410-0x0000000000630000-0x0000000000BFA000-memory.dmp

memory/1784-416-0x0000000000630000-0x0000000000BFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

MD5 7706a772997326622e43e966e6a46636
SHA1 c1840ccd77499bb38671fca8be3dac0b430ec5b6
SHA256 eac3da4a5d1ed48849083e6b83298b05081da173ed59fdf044ee8d19e3e0121a
SHA512 06f7310169be0316ffda109640450479220ed628ee68617392ae86831b430f840d6d28528937d3fa394a7a563c538a74069d3cd86ff412f5a936012bd2ecefd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

MD5 de7c83b529efd3986b9dab850c75a2a3
SHA1 25bca7e15949a1835d9cb4f916863410134a9146
SHA256 47c4a35d1d467417dbfaa77db3d049d1f972827051a8e920fa66c8f5f66b92bf
SHA512 338943309db1fad6801d463cd212a38bcae0e104922ab2116ee36bf36e0ad0be9ec1d2f33962701a241ba2594cd8670ff31b1f6317704f6de37141c3acf396c0

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

MD5 9e3d300b8ec7b148dd5c6e22668e2b5a
SHA1 5d3d57d5005b3fb17cc1829218ce744af5f3817d
SHA256 aa849d869e76b2fb7523cf781b0ae2152c11ec216253993078f29d035a99daf7
SHA512 e7920f7e90a0c36a261541384d4a6a94da10eb80d065def8c3300a6173b498f932b37bdd4facd0a5b0c39c1583171439b48f323ab8ae3c511eedc647d7c13b1c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

MD5 f8ef06c94cec6226ba86f913d1664d8d
SHA1 31f2c5a99ba915d4c924e2331d882a7fb273e4c8
SHA256 0cf7b7e7958279f7abcec963793cff546af6b2892a2d915e73c86245a2f950cf
SHA512 05eb68b47f3bcbe39952b0a9880a120087a419989998e1985e2781fd12866df9766e552475b0a770587f948f49e03c48610dbee67ec28fbe771d010a5b333e42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 fc9ce0afc059491cf264001df1eb2255
SHA1 9d4c49fa82c5bdc1e0a45efac92b2080af2a4ec3
SHA256 150d2b31750c5c64fa041fb2856f9e6cb5b241ebbfe02ca707dbbe1ef44a9577
SHA512 4c15c479e0e74a84e98afa77a7635f29919a29417e1c0125db1d7801d875f94996d5b232f07e1c201ea18df2db9d0937a7141c25b9ca100a064d8d4650f8efb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 34ecc86d6c0b5bca5e664a4fc4889b3e
SHA1 d9ccd2e693a60065d7ef452bc1ccd67d53ee92ff
SHA256 b6ed61fc9a33a31e5bc17b5225b32a3d300e39589e019e8b16c389ebe65393dc
SHA512 1491d27b33257f80dee61a410c48d6eecc98506f66703f63969390adefe89d5bf3fe6d365178af524f540b0a4b669f43649c8c0544bc000437f2530b26b8cee7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3030a1ebe4c5f20ac3a4f8b969cdd7b6
SHA1 bf111d14735645d9416bc81654bf7c62d1bde5a9
SHA256 2ee5c73cec3e0e99f6e74ddf77f4555d5b438973f39a4bcc5efb3bda6b6907b5
SHA512 8769572d61064f407f44b5cf4b82bc3634339392ca40e6fcbd4edb0e9cfd4d76805fd5ba66b6dad106313607acc96825c9388d1cb4796aae44d45367791f4ed3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

MD5 ca445f8a3795fdbc89dcbfffe169ca38
SHA1 9261581bec91b5ab48cb5160b5b33fb7b7aab28a
SHA256 7db52b0964663480cc851595f463b330b2a186fb8f6d827eacd9cb2ab5ac7871
SHA512 874784516ad98f0607a632936fb056f7ef11af26e277ac5e4b69ba5faa0752d3628e182807ea5f714458f591072d35b958c400ee7d01342909d746c7f5b13d7c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 dca8dacedbe0fb68ebcb5685afb05c2a
SHA1 36c895b84b4b7e66a9cadbf09164541105cfe47a
SHA256 450f27c0e0ed8e52bb8d76bf4a52884175ca64c54c1d038e84d2c9562674b37f
SHA512 2e1c0f6d73f0a7496e7677e21341b5f1b13f6e09dfe9c5aec6e4d444e9b806a1ec63bc15879ed4716753a7fcc7c31e425fd1d431ef5b81f076ceb7121eb39c2b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

memory/1784-2631-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1784-2630-0x0000000000630000-0x0000000000BFA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:01

Reported

2024-11-13 20:04

Platform

win7-20240903-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe /onboot" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created \??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
File opened for modification \??\c:\program files\mozilla firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "317" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 2416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2416 wrote to memory of 2784 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe

"C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.0.1886949311\722804594" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0955bc0-b70a-4626-a56b-05db370e8b6f} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1300 121d6158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.1.2058646445\699989543" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a7e8ac-beb4-4dfc-baf2-52a6db391946} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1516 e72e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.2.170052725\1703757487" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc9b049-5a7a-4199-a263-6110b1bddfb9} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2104 12159558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.3.1928870289\1744065618" -childID 2 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb3cc16e-4332-46b2-80a4-65e8bd90c119} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2788 1cb4ee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.4.750359270\850579117" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3680 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2512c7cb-2ecf-4dd1-8330-0a6ebccd82d7} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3716 1f0fd058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.5.994975831\1326074479" -childID 4 -isForBrowser -prefsHandle 3824 -prefMapHandle 3828 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2accc08-8f31-465c-8f38-edd5736d4424} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3812 1f0fe858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.6.909663669\291752357" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {077942f6-f6bd-4eda-8bcc-ebc4d2cff3a2} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3980 1f0feb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.7.336479887\1400921686" -childID 6 -isForBrowser -prefsHandle 2176 -prefMapHandle 2112 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {094c837f-b56d-42ca-8729-356e26f2a5fe} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2180 1a39ce58 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp
N/A 127.0.0.1:49218 tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 151.101.193.91:443 addons.mozilla.org tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 addons.mozilla.org udp
N/A 127.0.0.1:49228 tcp
US 45.33.30.197:80 www.aieov.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 216.239.34.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 45.33.30.197:80 www.aieov.com tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp
US 169.61.27.133:443 registeridm.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1444-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1D26E2\1E88ABC5A4.tmp

MD5 907f6d2ccb9de1f311b4f0ae58f1abf5
SHA1 15a255db8fe3ce554bbdd5c9f48a05dc6c6c33a9
SHA256 fb69f1e12ba410a1c399441c4a41a80fa2df3658fe64283c5a90afc51f9f600e
SHA512 768302a651af8b71add90ac24ec4b6b25f07b9835b30c08c81c548c88f304aa2795d47012328900dc102347d1c7d87f6128c8ab339674dbaf043e4cf8cb09c83

memory/1444-15-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1444-13-0x0000000000930000-0x0000000000EFA000-memory.dmp

\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

MD5 0afc63e7ac95a56fac3e27e877d4cc7f
SHA1 aca6640a5c2a8f542501007bdb72563d28edf754
SHA256 5912d65f1783ac35b02c9402869c65613ced65853858ecca1fa2cb16a1e4b8b3
SHA512 419d53d8f73f7b289f71e20c751c2a8f2b2fa755b2397035612e19f1447430aa07353879a9c647ac506981c09e4abaa059047d0c70b7ba70a037e271f99af430

\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

MD5 ec23117f2f80b01e57f7c1252e86f423
SHA1 31165e48f520b7ea199d60c8607a85e766f5c3fc
SHA256 059e67ef1c2fa5a58a8af682766ceb727812e9fc8e2a24b6734567d2f7e41ebe
SHA512 ae5d114bce090d743925b39784b35f420858879fc850e041d7a8bf65c1fd5cbad24f51be20670ea97ca590dcbb843ecc63078fee57ff50db67a6b6222dc21aea

memory/1444-31-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1444-30-0x0000000000930000-0x0000000000EFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin

MD5 f91ec4f02ce872d21c7616c4a7f0f496
SHA1 fa7aa80beefad1460193d2e56931ebf9df734f3b
SHA256 ea1f143cef6e48c164c85dd6b6078ef99ba32a2a471dbb4434a0b0ad2ecd234f
SHA512 c74af200ff2f786ebe72d3c9e2ff1a2a1433b72f555ee85de3e54235d7261eea0fe2d2f4c8aed3abdb5664a86db826d073cdaaad54202cebe14bbed06d1ccb2c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\b42c274c-c728-44c7-b97a-056e580e43c8

MD5 764560faeefb4fbba19054b62a3b19f9
SHA1 efc63b0f039e0a1244a779fc7cc7f20feb96fb06
SHA256 24bbfd4cace6d5a2b6c54ad03d2f27028cf8adc8280ca79fed3eafcc7e969117
SHA512 9d60327b120ca4547d780e08b05b9ead63d5c16718d9542d65052bfd04528153268469451927182e6e48f5f6378834290cbdce09655dd5c4998647b5bd108bd7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\8fb2f70e-7dc6-42bb-b922-1a0f97d97d0c

MD5 16949c1dcebb3720029ca4efabdd72ac
SHA1 07c0128a36667c06c08155a1acd62c81e495a180
SHA256 f2223ec23ca04409b40e81969e5f5f53ed621367f4b186e2d0b23e8b49789eb6
SHA512 975733a324c5a4bb5cbbc28a4bc3ed14ef195e324e817e862407762a1a48568bd2ebd93de3638dce3171cc194558f58dc0dc66f674e984dea6eb699556dd5d5d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp

MD5 b96540c4177b255ff0e549e35895dbd1
SHA1 6f6f36c8453ed46b84c8103380cad3677c24a84d
SHA256 9fd3b6e2e3f5d8acc2f2fd4e2acac36686d5c6d8c498773178b668265be9cc3a
SHA512 f7ba3b8e5afbbd7abf89adcc8de1126c28870a3944669c9dc44b958dbe31520f152cdf1dd3e7d1ab2383fdc31eceb285219d92159b3435d6a6a97d60d68cf29b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 f99b4984bd93547ff4ab09d35b9ed6d5
SHA1 73bf4d313cb094bb6ead04460da9547106794007
SHA256 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512 cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

MD5 fbd7b566763c0acd46e4218693535a15
SHA1 f02237784fc861bf2eec51bb9175cd7496ddd032
SHA256 6b19105ec978cf009cd8b7a8e1d7cc78d2079cff9b117f0f4db5e148ba19d964
SHA512 37a3e006bbcd57b4b07457d482b2f408ba11db9a0218d3ae5ed3e25c57e49a3614b9e5db28f1497699344e093be9819f9107d286987af40002fe9f9ea3262958

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

MD5 a3c86372ec76ce021c7b4efc9afce3cc
SHA1 3f1a1d2745d34c371616c940df68c4e4213b6af6
SHA256 c03ec9101baf51599eeffd10ce20de1f100ac491065dcb38012ff60868c199f8
SHA512 d0e7d99f219d851eaf2f2103a7f8e210ca1a3d2d0a9d64b64267f58c782a407c35a08afbb5d1ec9a4fd8580af4e1b27a8c8ff60a9982b45c97691ae8493bc737

memory/1444-210-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f269be4d5fc45532eaafa09000279316
SHA1 678983eb470f0ba87b5964384b8eb1dc828ac032
SHA256 105c4aa3daee223c20f50d9df447ac7bb1e5ab173de25c81994ca687eaa159de
SHA512 9193d6843d4f700d540597fe3bb4c34d790f4c4339ca68e6c9fc35c6d880e561e7191710e5ee3303f4ffa2d8d70caf246b87614aa4925c060e6e708e49869560

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/1444-232-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1444-231-0x0000000000930000-0x0000000000EFA000-memory.dmp

memory/1444-238-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

MD5 9149d648f46ffb5673a439c36ae82884
SHA1 bdb12548c4ededc89809ba7669471c1cff3ad659
SHA256 6343d7ff620392d1eddf5a29d8635452f631d43761c35225429afecf6d3fa8d5
SHA512 68de5b1bdf549b20cb1152a2d73dedbf93945afb1e2ab2032dfa3d51fb6a432595435eaf79da7cfa0f0c803fdb2a193d83aaaf4ebc730edff8aaed8a37a316f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

MD5 34b563f2355cdd874e2f7d0c8c816861
SHA1 5a63becfeef1ce30e62a820a0840fc55aa63dd20
SHA256 eed6ecf7cfb7f78fdbed942d66e1607772df4c6947227a72aa33c2cfa5dc0598
SHA512 9c838092255c9b6979b444457e32c8428b0d3385ecde793d5e95dbda609ab615aa4709784bd3e003b58a0b1ca9ae02bdfd3f40d62ff1e5ec227a799d5db28c7c

memory/1444-257-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1444-294-0x0000000000930000-0x0000000000EFA000-memory.dmp