ramnit | 087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Size

6.0MB
MD5

ac7276cda48648e044a5160d2642aa5c
SHA1

b0bfb31d6231eee5003ca26193feec3efe82f8e0
SHA256

087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0
SHA512

8210a21302ec4b0212fc58349ecb86de8b9a90119b7c13cf4ea2002a97d4e53c414e0c6b528da848753b9c693ff44651a813f01ba7cd0a5a1881beaae46ce3e0
SSDEEP

98304:OnzYJN9FRmWIuJzxP4618frP3wbzWFimaI7dloCP265:NJTmWnEgbzWFimaI7dlzOI

Score

10^/10

ramnit adware banker discovery persistence phishing spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023c7a-9.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Executes dropped EXE 1 IoCs

pid	Process
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Loads dropped DLL 3 IoCs

pid	Process
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe /onboot"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5096-15-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-16-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-24-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-25-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-23-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-20-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-14-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5096-31-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "32528897"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2D6A14C0-A778-11EF-B9D5-DEEFF298442C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "30128637"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144837"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438896981"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144837"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144837"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "30128637"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "324"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
Token: SeDebugPrivilege	5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe
Token: SeDebugPrivilege	4248	firefox.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
4620	iexplore.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4248	firefox.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
4620	iexplore.exe
4620	iexplore.exe
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4248	firefox.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 5096	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	82
PID 4080 wrote to memory of 5096	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	82
PID 4080 wrote to memory of 5096	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	82
PID 5096 wrote to memory of 4620	5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe	83
PID 5096 wrote to memory of 4620	5096	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe	83
PID 4620 wrote to memory of 1708	4620	iexplore.exe	84
PID 4620 wrote to memory of 1708	4620	iexplore.exe	84
PID 4620 wrote to memory of 1708	4620	iexplore.exe	84
PID 4080 wrote to memory of 3272	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	92
PID 4080 wrote to memory of 3272	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	92
PID 4080 wrote to memory of 3272	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	92
PID 4080 wrote to memory of 4100	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	93
PID 4080 wrote to memory of 4100	4080	087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe	93
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4100 wrote to memory of 4248	4100	firefox.exe	94
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95
PID 4248 wrote to memory of 1220	4248	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe
"C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4620 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1708
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acef1b5b-1843-4797-8586-efa8b8d7de96} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" gpu
      4⤵
      PID:1220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f10852b5-784a-4874-92a2-9930a28466a9} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" socket
      4⤵
      PID:3324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3408 -childID 1 -isForBrowser -prefsHandle 3400 -prefMapHandle 3420 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e285a28-c796-468a-9329-56062dd3eec8} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
      4⤵
      PID:2372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3580 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fb5f2ef-3195-4d0d-a2b6-5f33b2be9b45} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
      4⤵
      PID:4024
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4512 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82763bd9-3910-4180-85c8-dacc63908809} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" utility
      4⤵
      Checks processor information in registry
      PID:4844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5224 -prefsLen 29197 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad924ca8-1de3-4bde-9d41-dc39b50062f1} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
      4⤵
      PID:5776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 4116 -prefMapHandle 5560 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c9d81a3-6635-44a2-8bce-fea298aa1666} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
      4⤵
      PID:6020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 5 -isForBrowser -prefsHandle 3232 -prefMapHandle 3196 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d532cb66-8641-4579-b2e6-a41215e964ee} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
      4⤵
      PID:6060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 6 -isForBrowser -prefsHandle 5764 -prefMapHandle 5780 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f559684-4e19-4df4-800f-c6cd88c84e0f} 4248 "\\.\pipe\gecko-crash-server-pipe.4248" tab
      4⤵
      PID:6132
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4304
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5cdba0b951b215a32f9053da8eed5d75

SHA1
5bcaf283c5b7a740bc804a393298d6cf4f0ba4c7

SHA256
5db4ebeed80b2c5b5e17e1f7ddc01139ee151ff2b398250393d8d30d3bbf1118

SHA512
7471c506a63bc00edb959edc7b74b42af565c99297252348a6edd5ef1036ad7885f2ee3d5fad141400a549741980fe8f08c9a00a743bd696913e536d76c91d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d5d7143b3cc4b4b32e1b2ec6f09e0b86

SHA1
cba36291080ce9f1ad24b335b810742e8de492ab

SHA256
f8f6368c09e5aa915623a6f104d69631ec1ade184751f973a1b0694f6727e7ff

SHA512
0697dcd7ca3f3e2e9b6ad9889cbbde672a7cc20deff052d1a1179c4b63d52cfaf8ca3415ad9a546404b47c6e61a210bc6ad467d8a326ae9d4b4421aaaeeab1c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
06f1dd6128c176c5ebafa23046044fde

SHA1
64c7256bfcf8ddc0970977eb25a03d334ea07a0c

SHA256
326d24874dc5a5ee704fa4f5f9bffbceadd6b4f3bf970e18797c76a71781e637

SHA512
9490dc0645609bf0fc469a4332a9cd8cb286f5b3a4df37d985c5a9f14df58355553a5dcd175fa2ba9ef3a3d25a86e26c94f936c43a416b48649c465bf4d15c19

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
9bba59dbe590639ddd6a1dcd39974c5e

SHA1
7211ff006bc2f034e8a3c97e42e2cade2604a03c

SHA256
3772da5726b06fa6935d6eed9dfbcc890c0de35c6a9dc63f2f028e7a7681e955

SHA512
910feee779070e0350afc475b71de8b3ca5b3bdec47d6d6bca0dc4797dece9928ea21dddeb0d1815889f6543fafa27fa6c1e6fa4d9bdd61f92162e5db37ed0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\087d6db9d77131c187e49ce566c78a27b0c3d1a7d55bc1b055858888637b48d0mgr.exe

Filesize
261KB

MD5
3ae03147ee0e6eadde6539d9a7788cd9

SHA1
0923e5edf62451a8c9078fe9557551a806eac272

SHA256
3a889c12b0feb9c87408c7ad438b50f16d255fd2d842556e4a4c94f89414cb8d

SHA512
9bde63534cbf9e7b26b470cb056f34114875813d7cebb2d1034c9a8e368b10ece65be3fbb858d334fdf208c451abf41f169e0ceca4b810575fffb08df50ba19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmi7C83.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
783614e4d9e5a46aa1a87c2c90771f34

SHA1
ce5d51f7637f5b11a3618c37e7c15e5528f17c19

SHA256
09ef7e393afe6c7614baa3715d8a600907738668e6c7f1cdb113d4c43ee04876

SHA512
b546d102edc3770e22740ab2f86e5100b9b6f81b61fd4a2c7c3cc988d46da5be91cb56ecb7e1ea07d35eb13cb40ab23b93df6aa86118dd5536c1d3c6932e924a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
12KB

MD5
97f751ea9ecc4489bd176b19be094617

SHA1
21e37c69a15ba9f0894f1afe9a2138771f5bbb84

SHA256
afcb4eb3d48cd74a9663e7654724ffae001f7c09a52d6bd05d253ef85023cb93

SHA512
e59c6ff4a3ea36ae62565781099be89c8458a377479d9cc50dd89b53f547ed9b72d96a04208f396abbd80d631131961399bcc5314994cb54fee603d6109bba69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bb8461b7db3d76a7858054844da3d425

SHA1
aac60c4e47e7ab886ad3dc30c3a1dee90a4a97e7

SHA256
91f861a9fd7736b85e82317b984d946d693b5d6d76e947835f774cef3b6acdc0

SHA512
7003fd6366bda09064e8e635cc736cb6dd6a672808a76c1a86174e228f203bd25d7c58bacdc62af98e57002d519912d5267ec67c011a03a61d52a627ffa926db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
52aca9783021df6a345ed66ee0938598

SHA1
7480bda5510747c6bcb27d3f383407a33f659915

SHA256
9cf27f42e0f727a15ee84df417c059e9bdcfece88a025609f4ca9a4991007b09

SHA512
b7ef2d3b4c2bea747f68cf176824dca62014fd534910cd514da9790ae8fa3de020b34d5891dbcb13ae7e6d62dc8a947ea4433dd9b6301113af6fe8fee33e6db8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
f1b2526766ddff232719696a78f276b3

SHA1
915b11edee34d282f56c908b714597ac7a0e2815

SHA256
787fde97581c1a4c1604981efecca875f5d86ab9630545123d5d5fc0bc101d0b

SHA512
4e4e5e9db433517fbb1ad93e04cecb0d04fe2e96ff4cd1a16367f359c19f87988c29aab925b1df6dd8fd194cbfa8747adfbb319d520b41f0a382f2a86b9ac9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
e6675da96562296ef1d10f40a155208c

SHA1
36dd144e81ba7412e8c195db9cc41e298232d405

SHA256
659b7ea29f4882e29048c637660e00a3669d83ae1ed9f6eb472670d444853e9f

SHA512
711c8a27f935d69a87da93a5150b27e412609aa25fd9b3149c67bdd59b8b829f00d46315f8d49bd359327afa904df0230177e4bde38d1b4aa1eb528f0bed94f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\32b65df6-a734-42b1-bbbd-d885fda53264

Filesize
671B

MD5
adfa5a0e1b0540928068a08989fe8b7e

SHA1
d569664188442231d0b4649b39ad34127edb4801

SHA256
a4f8cd74ed3707601a5052926d4967b25aa0a0c97c1aa675edbea0baf5cab538

SHA512
541d371f9ec8b787c31697b8ca7ab4821277aa9d9f987048151ef6c78c033cdbb5526fd6033768f035b3ac70d2d11178f83796a24452dc5cdd1003395110d437

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\61ab0aa3-663d-4394-8221-4e934f905f25

Filesize
982B

MD5
0e04aabbf99c4ae14e50312493cb353d

SHA1
dbb4db933306cbfd2464a84dfba2735caff5c536

SHA256
ac3ce2e7bc06e2f55ba9740fff3481b226929e7b7ff0a2c20114ee05e7b0f2f9

SHA512
8187f181d8a5c6e3ce947bb07b93ac640a4400890bec08ae0dd01724ceae8a596b9eee7433d5753dca46e3989a08b77eb2f1ebf059e3665a8241dcdaa4d37bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\aad9c574-19d9-4c4b-ae45-4c7e24bda8a1

Filesize
25KB

MD5
9b7e6bf34a1db7fe270e73aabff25967

SHA1
3b73c119df1549d51ee0e8880c91b4241b3e0881

SHA256
e0065adf6f5e5f10fd7144031eec15af30c14ef13d1047a09d88ca3fb6d18eed

SHA512
c2d5f211faa1a10e18e471ab6bcdf77b89cd2b26945d02d78da7780df54e7ac91dc4c59ac75da732fca1865ee33215157a7ce9786acbb463143084a88f94c90e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
12KB

MD5
acbeb1562d6679803103f10c7d54ff9a

SHA1
a2490e9b862297d4dcc74d6360a250625740a2e8

SHA256
55b45a0d4b2f4a0f5fdee7f2285412c1913ba857b25aef626003106f380d18d1

SHA512
89cf73e72cd876ea284dc1f80b87525152351650a11e1385a3e4cc1c3b6ddf8acb6a8d6a50ca2f06920959ef4f6c366a3559116ca486b72a52ab738f2929aeee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
8064ceebc5fd19c523c497be4280d962

SHA1
0cfb527c258559a0c64b1d5f8b35ba1b5e21814c

SHA256
52b3e7a4dc9b5ceefc29e286099daaf990da8ee3e642b9260a0808ba6f54fbea

SHA512
ec253a38942ced85c6101e563abd72df8e8cd4556841d746bbeed6b1b2e2f47a3106fc13184d729fb0c285ad711021cfae98011b342d2d3d47a6ad96dcc5f076

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.7MB

MD5
63fbfe0ed88c64867a9d6b2229cd10d1

SHA1
7fdf585e6d9127c603a31dfefbf50f684d9cd2e8

SHA256
2299572d7fcf4e9fcd1d273ab3bbf8770865be90fcc0dd7630966a99a5c2e36b

SHA512
8a8d30bb162ec85fe6f7ed33d6abf1f2d98e0346c62e9055373f8fd8ba32f2717d840cda061d13af62928ec929648122620570dedc361f9ac32b92ba79607eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.7MB

MD5
724c4c7927bf712c755fd72a017ad77e

SHA1
07d842d9949e6137c6d3740e77cab102cd031c33

SHA256
dfaa0f4f9481b69687542c5b372c60b4e947edc834f2040ca9352dcc8fb278a8

SHA512
949dbdb6770a0c1c47f26a1d26ff7c25e22bbf3310535bc42dc70a948ab7b47702069435d83349fe263344d0c579e67c726c010cc043aa6549409e41759ec0b3

Download Submit
memory/4080-2563-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4080-2560-0x0000000000540000-0x0000000000B48000-memory.dmp

Filesize
6.0MB

Download
memory/4080-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4080-0-0x0000000000540000-0x0000000000B48000-memory.dmp

Filesize
6.0MB

Download
memory/5096-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-11-0x0000000000840000-0x00000000008B3000-memory.dmp

Filesize
460KB

Download
memory/5096-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-13-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/5096-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-21-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/5096-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5096-26-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/5096-27-0x00000000774C2000-0x00000000774C3000-memory.dmp

Filesize
4KB

Download
memory/5096-14-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5096-28-0x00000000774C2000-0x00000000774C3000-memory.dmp

Filesize
4KB

Download
memory/5096-32-0x0000000000840000-0x00000000008B3000-memory.dmp

Filesize
460KB

Download