ramnit | 087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Size

6.0MB
MD5

ac7276cda48648e044a5160d2642aa5c
SHA1

b0bfb31d6231eee5003ca26193feec3efe82f8e0
SHA256

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0
SHA512

8210a21302ec4b0212fc58349ecb86de8b9a90119b7c13cf4ea2002a97d4e53c414e0c6b528da848753b9c693ff44651a813f01ba7cd0a5a1881beaae46ce3e0
SSDEEP

98304:OnzYJN9FRmWIuJzxP4618frP3wbzWFimaI7dloCP265:NJTmWnEgbzWFimaI7dlzOI

Score

10^/10

ramnit adware banker discovery persistence phishing spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral2/files/0x000d000000023b9f-8.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Executes dropped EXE 1 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

pid	Process
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Loads dropped DLL 2 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

pid	Process
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe /onboot"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4844-24-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-22-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-30-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-21-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-19-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-17-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-16-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4844-15-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exe087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exeIEXPLORE.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exeiexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2112937348"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438896761"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144836"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2120967619"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144836"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144836"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A973D08D-A777-11EF-AEE2-C67090DD1599} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2112937348"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Modifies registry class 17 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exefirefox.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "324"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

pid	Process
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exefirefox.exe

description	pid	Process
Token: SeDebugPrivilege	4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
Token: SeRestorePrivilege	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Token: SeDebugPrivilege	3168	firefox.exe
Token: SeDebugPrivilege	3168	firefox.exe
Token: SeDebugPrivilege	3168	firefox.exe
Token: SeDebugPrivilege	3168	firefox.exe
Token: SeDebugPrivilege	3168	firefox.exe

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

iexplore.exefirefox.exe087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

pid	Process
4088	iexplore.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

firefox.exe087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

pid	Process
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
3168	firefox.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exeiexplore.exeIEXPLORE.EXE087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exefirefox.exe

pid	Process
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4088	iexplore.exe
4088	iexplore.exe
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
3168	firefox.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

pid	Process
4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exeiexplore.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 4516 wrote to memory of 4844	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	83
PID 4516 wrote to memory of 4844	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	83
PID 4516 wrote to memory of 4844	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	83
PID 4844 wrote to memory of 4088	4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe	84
PID 4844 wrote to memory of 4088	4844	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe	84
PID 4088 wrote to memory of 2352	4088	iexplore.exe	85
PID 4088 wrote to memory of 2352	4088	iexplore.exe	85
PID 4088 wrote to memory of 2352	4088	iexplore.exe	85
PID 4516 wrote to memory of 4776	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	98
PID 4516 wrote to memory of 4776	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	98
PID 4516 wrote to memory of 4776	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	98
PID 4516 wrote to memory of 5100	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	99
PID 4516 wrote to memory of 5100	4516	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	99
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 5100 wrote to memory of 3168	5100	firefox.exe	100
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101
PID 3168 wrote to memory of 1388	3168	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
"C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4088 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2352
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4776
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70668d73-1399-4617-a03e-79f36b0002eb} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" gpu
      4⤵
      PID:1388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20240401114208 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc077855-173c-44e5-9062-a190faca648d} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" socket
      4⤵
      PID:3428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3228 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10136e9b-5114-4aef-9fc5-feaf58c2948d} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
      4⤵
      PID:4004
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2584 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 4000 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e310f1c4-e0dd-4639-b278-7d1e1526adbd} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
      4⤵
      PID:1044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4752 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e29927-01fc-4fae-b6a0-bbf7bc0cb9b4} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" utility
      4⤵
      Checks processor information in registry
      PID:5204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 4852 -prefMapHandle 5240 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e5d5672-9ce3-46c6-af47-a423e6cd8b63} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
      4⤵
      PID:5888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 4 -isForBrowser -prefsHandle 2980 -prefMapHandle 2924 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {495fb1b2-3407-4e77-9669-b71d36ad967c} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
      4⤵
      PID:6088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 5 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7273543-de61-4086-85c6-dee40508963b} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
      4⤵
      PID:6112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 6 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b96e5d3b-0590-4681-82d7-e921b3404034} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
      4⤵
      PID:6124
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5144
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5168
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5196
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5cdba0b951b215a32f9053da8eed5d75

SHA1
5bcaf283c5b7a740bc804a393298d6cf4f0ba4c7

SHA256
5db4ebeed80b2c5b5e17e1f7ddc01139ee151ff2b398250393d8d30d3bbf1118

SHA512
7471c506a63bc00edb959edc7b74b42af565c99297252348a6edd5ef1036ad7885f2ee3d5fad141400a549741980fe8f08c9a00a743bd696913e536d76c91d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1059cd865021d3b50183663e92285a8e

SHA1
30a0db9e9ae0188f426da519b081db137a415517

SHA256
a094ad29c0d0bc4399f71c7c04550f6cb6f5a7baa43f12c9a8a7e1869e2e1170

SHA512
8c83c616ae05e299abade7c81374727bf6a693072686676ed92e01353190f8928c8a2ee103f66d3ef7f663fcedeec7e97a29ba1bd0fe2d48d0f6fdf9949eb79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
77aed16c4928d07f1788c3648b188fa0

SHA1
34d2499a3e89481d85533e01aac283c4f5a77a0b

SHA256
251d6042bf8aa0c10562bad6e793cc6aa76750e226dc2f7268f3f513ad81bcaf

SHA512
5889d1342990df699c38d1cbe5777a3b74c939a1c263fe7b44c7d07abc02224f319a3ae5182d52741e861cee2dda34b811774c49b8e34aec65786cd9675212a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
938e41bd4391dffd82c24fc20d45ebce

SHA1
50d87febd795dc285ef99d93ad642b3c7b4bed58

SHA256
de29115b8ece8455d3f699596edfdbeadb3c2981d3726202f8c60060d0842eaa

SHA512
fcccea9bc3b659896b5351d757e6d9b495f09c045b508dce5f368c2b3b9584f9e24760a089f6795936b8629b42327768fd8c7b0ab98d2be21c3afdb8f4438ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Filesize
261KB

MD5
3ae03147ee0e6eadde6539d9a7788cd9

SHA1
0923e5edf62451a8c9078fe9557551a806eac272

SHA256
3a889c12b0feb9c87408c7ad438b50f16d255fd2d842556e4a4c94f89414cb8d

SHA512
9bde63534cbf9e7b26b470cb056f34114875813d7cebb2d1034c9a8e368b10ece65be3fbb858d334fdf208c451abf41f169e0ceca4b810575fffb08df50ba19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uni85CA.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
c4dd0b7638465637079ef5848f19743c

SHA1
99dfd415e17b9c81bbc0d9416f58625a12c0894e

SHA256
2e672bdd4627bcb14f7d2d3bed5a781e500d574205390bc73927e24ba2b4f645

SHA512
9f6c6968ff981277675bb9633b888ccfb4f4410dbed66cab3ed6397de34703ac516e99ea8deb828fab87797af7fa19fa2ab683de2c78336d5ae149638557677c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
12KB

MD5
070f931de0756a13a519818205a91bf0

SHA1
e1e4151485700994868109dc6b9f9682c1fa1cba

SHA256
5955bb49a692f926d9f6ca31e1458f5402889c4ae6733a0dbca3d78b7d0785ad

SHA512
15128bb4ff8e415535d4cd48a491a280c80626a1724d1f92cb1efb6686bfad078bd738471c98955f88a37c3953d94083bd6de0f4cbbdc81c6b5e1f05284d52d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
899014291f9349b970aae0926ec9ab0e

SHA1
e09deb450e6b1c956b2349ee724ed817ea91ff54

SHA256
bf99ad0646a1cee8cc42fce6af41857268d9f9660c4d75786976b04661ec7ec1

SHA512
30988534e9860d1891e58ab324f250bd93e1d99b359f7d52e58d5e59a66c196bfa68c5fa36809d9e9c6e1bfdd7bcd9fdcb684ca478823fdf5aab6864429c3823

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
37d958ab6f7b91d85e7b0939d62d3715

SHA1
bc6e8174e501130c9cf901af5816f75d8ac2ef6d

SHA256
56dd3d29cf9854c094ab7e8940402bfb16931dd7913356737f5a6ebca0739092

SHA512
975ec32b230a643fafc02fdfb918272867afadf056c54918f0dbf6d13ba4226d20e6174b0986af24cac9ea321dde22820fa165e6602d93fa598bbe4a99c6ba51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
6c2b220c8611670e79becc0ec6938c50

SHA1
336e0d10a104e2e0b0cc341e7a25e2282d566ce8

SHA256
4686b10717b176558463d8a48b4c74c29a5cc2a749626002aae4280ac7e80ba4

SHA512
63c58def0ef7e059e3a1b1cfcd293e94f3d719d9d55e0f2cf37a08749aa9a3e8fe5013c23d3e17ff9bc468f7ab89c72bd6a53a3693c0351b7004aa7386909bd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d07e12c097b282137bccc00fdcb67a30

SHA1
9e3942c26f6c616ebc3b8faf008590dd60a6a8ef

SHA256
1c57130976320a18a605db6172558cd1420876f703a26407feabd040f009fdad

SHA512
729c699d4fb612cb6f343540ead28c2772ee5ada59eed49bef9c2ee59861d6e2e19d101070059f735e1141fac857ff882a59df47d6a80294448dfae212c09492

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\57709832-c59c-4f71-8d9a-3854c388ec70

Filesize
24KB

MD5
11c8a3e4bb50c1797e10f6da6423c229

SHA1
7cf5ba3615f37cb6fa9b93eebb777d65d23974be

SHA256
7bacbdcb87de22b38219e1da7281e3afb71a2f976bda2ca1fe96a470f87db2b8

SHA512
43f986dd6f3f6bd5e6b5f8fb9d29d1d641c7cdd1721b0646e78ef560262b2557724545061778651f2842227645729d2d89df5e026e0f2ff4641a1bc969662d12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\8c514d25-69a3-4846-ab77-3938c7255b42

Filesize
671B

MD5
80f050750abb2c3049c3f02aae42a603

SHA1
8abc4cf09a85440e2c19b0d29db492e15d09e208

SHA256
c381925f757f295d447d937c3a4b423db02784df624e60336652a58147e4e65f

SHA512
0fa798aa26d4e7595ee1e747ef3a9be56ea30736bc084eadc570ef568587540adaaa885d8bb05bc69a9b9885647aa5d01ab63637891b7e94b2015890ce5955cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\937b361c-fab1-424b-a7fb-e78e37aa7c93

Filesize
982B

MD5
b09aba1aa6f152bf5605d2bbd0677351

SHA1
2efd4437e2388af8129cb95ba28cab32328cfdc5

SHA256
3ab3de88a330d3a9c9cbbf47ec5814125ea2e6b25342e51c16261dfb16d49174

SHA512
7399921ef40e8a8d8b624c91bd9fcdf7549798b0d7d8150cb1bb875583760c9c5b49485c6023c635628d384c42a1a6e3909ded42a5b7bb262cbca265ed688a5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
10KB

MD5
f4140f710e91c2455e46a3eef5c73d0b

SHA1
0f6768c9f7913f0ea3bca3461e35b4f70c5a1b40

SHA256
c3156af6791b1f9423a38768ef33e399f498f3cb77e123f662d4ff7b5500bedf

SHA512
62ff3257b5ccc1f7e4b9c6263e9dfcd32327d1093e42769c2fc57e17c3f5d2124d1117c39691e150ee4a40a3090e68a2e7a582837981b4c5b808614d4b1cefb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
12KB

MD5
8a67901a05cfbbe3b417ccdae421868b

SHA1
13d8769a0d68538abac6a61ae24ce4919376c986

SHA256
5d459ee38e5b0b09127756d22e76193f5e3ca0dae225412a3bff3ff7c54f289e

SHA512
1376dc6db372066fd14c7203e7c3c8818f79e1d18737c55f41c50dbc3c994d137b9df59cc3b12215402eb7fd5a24fa9f11ce7354d62e4f0bb065cc0e1fd07b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
11KB

MD5
375624bb65a157b8ecde81c78000b48a

SHA1
27f9537c8b09c14bb53ce43aafd326646a1ab4c9

SHA256
522515e37adbd492c20142f39828f1d326d637f97698cd052aaa4dc8453f5c85

SHA512
e00efea6c6daa7dc3a7f069199428290d493f21fe794691636757c4c177ddebb1f0876a2bbe2f4c520a4fecaa9ed46e914dc3d43bdbd77b2e29f1a0bdf856b94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
49ba6cb0daf7729215cafb06eba57f16

SHA1
182f57a30503eb632d74a05c4ee3271f563d7464

SHA256
4e926818e1b41dbf92a9b1ac2321f861ca4e2212170da213d918d145393cc872

SHA512
a9880650a599f51c98e4b2b1e6cb7c1a2f43989d08f6d1c00d6f8fcb8753837a3a9b684e2efeb5285635dc6a7cec911cfe0ed335c9302fd808386ee12978060a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
c7fbb362171a3ba30b85b1ca7806f1ff

SHA1
64202e8920d39ffbf5fc3b09dada809bb94b5488

SHA256
f09159a08a26ec6a7224a01fb2be5db5cf59b0013cc7be98b8004140b58b042b

SHA512
4766968781ce825bfbc6653bc32e709be40a6038c5bb942e204621bd4c4668dd3c1be0883d578755e22f76cce6a59ee65cef76dd0b500c20a4ddd27642505511

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
6916635166232a89a4954949359fe51a

SHA1
32d34f3b247b48b1029ac9facba13ce89275aa53

SHA256
9491a644a68c8652e1e28af2860fda57bc53ff7dd493ec93980d97c1ddd50905

SHA512
2d3a86809d5472516c9dbbdd389d7a79d1d9f9c1937b2f9661bf781f736f05c03013e4d44995e28cbf1ce95dafec0ebc399e42419fb972f3ee7258cbb07fa06b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.6MB

MD5
a92dbf021bd4e448bc4c43c8da4a7056

SHA1
92633ddb9ad4a8385150dd815168a2c8331514ff

SHA256
37ba39f56979fde717492ceebf0fd0323d5918b3608208667579ac739ca11943

SHA512
79b1edd5ddbd014f5c50e39895672e55c3519503cbb16dd33b5224be0aef575ecbac1f746882fb3393238e50f671986c34b415ff22b970a093b53e23f6c9c491

Download Submit
memory/4516-0-0x00000000000E0000-0x00000000006E8000-memory.dmp

Filesize
6.0MB

Download
memory/4516-2673-0x00000000000E0000-0x00000000006E8000-memory.dmp

Filesize
6.0MB

Download
memory/4844-25-0x00000000779E2000-0x00000000779E3000-memory.dmp

Filesize
4KB

Download
memory/4844-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-26-0x00000000779E2000-0x00000000779E3000-memory.dmp

Filesize
4KB

Download
memory/4844-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-20-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4844-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4844-23-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4844-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-29-0x0000000000650000-0x00000000006C3000-memory.dmp

Filesize
460KB

Download
memory/4844-11-0x0000000000650000-0x00000000006C3000-memory.dmp

Filesize
460KB

Download
memory/4844-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4844-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-13-0x0000000000650000-0x00000000006C3000-memory.dmp

Filesize
460KB

Download