floxif | 616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Size

5.8MB
MD5

01359ba536f5e20064d0caf3e2e47663
SHA1

f4609e8daf2805fb0c9044b315520b553c51013a
SHA256

616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21
SHA512

583f3b60afb3080905840f90f9f17e47e2c5fe842c1ed955536c4f8e37b1c5193eb539eea53e2411811ea28b2690a9e4d317089167a3afd350a54550fb0fadaf
SSDEEP

98304:dbT5kHAZALmV2P4Vey18frP3wbzWFimaI7dloib:dXiHAZALinKgbzWFimaI7dlNb

Score

10^/10

floxif adware backdoor discovery persistence phishing privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000b00000001225e-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001225e-1.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2972	regsvr32.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2520	regsvr32.exe
1488	regsvr32.exe
2356	regsvr32.exe
2092	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe /onboot"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225e-1.dat	upx
behavioral1/memory/2120-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-17-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-18-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-38-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-224-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2520-235-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1488-239-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2520-237-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1488-241-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2356-243-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2356-245-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2092-247-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2092-249-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-260-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-268-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-279-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2120-316-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "346"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Token: SeRestorePrivilege	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
Token: SeDebugPrivilege	2324	firefox.exe
Token: SeDebugPrivilege	2324	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2324	firefox.exe
2324	firefox.exe
2324	firefox.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 2972	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	31
PID 2120 wrote to memory of 1844	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	33
PID 2120 wrote to memory of 1844	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	33
PID 2120 wrote to memory of 1844	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	33
PID 2120 wrote to memory of 1844	2120	616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe	33
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 1844 wrote to memory of 2324	1844	firefox.exe	34
PID 2324 wrote to memory of 568	2324	firefox.exe	35
PID 2324 wrote to memory of 568	2324	firefox.exe	35
PID 2324 wrote to memory of 568	2324	firefox.exe	35
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36
PID 2324 wrote to memory of 1800	2324	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe
"C:\Users\Admin\AppData\Local\Temp\616a99640b56604a9e4ea7efc51d2b9ce3c1929a5fbf99f575edf8885189aa21.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.0.1560278776\1412971613" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10845efd-7198-4dd4-aafd-cbb831d1a214} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 1316 10fee058 gpu
      4⤵
      PID:568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.1.1765538131\920049863" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d367997-11e9-43fc-bcb9-37b71074c88b} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 1508 d72b58 socket
      4⤵
      PID:1800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.2.1933381971\644830191" -childID 1 -isForBrowser -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f86aad3f-7636-4d70-ac2a-7e8d29a86239} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 2128 1b2bc358 tab
      4⤵
      PID:884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.3.516965956\1430243795" -childID 2 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a76ac0b9-3fae-4aae-89cd-a204e716195c} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 2952 1d7e3e58 tab
      4⤵
      PID:1436
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.4.2082614294\1679615241" -childID 3 -isForBrowser -prefsHandle 3576 -prefMapHandle 3580 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e91a7e6c-ae23-4dd5-9c2c-4e8cf070b178} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 3500 15530b58 tab
      4⤵
      PID:2440
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.5.1645606885\2084256815" -childID 4 -isForBrowser -prefsHandle 3652 -prefMapHandle 3656 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1efcb3b1-91a1-49fd-92b3-58c66491fb1c} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 3640 1ecdf858 tab
      4⤵
      PID:2100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.6.1010964246\687579971" -childID 5 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11eb9652-e631-49f1-a066-c038c8b3a917} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 3692 1ece2b58 tab
      4⤵
      PID:1496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2324.7.1192221460\1225964114" -childID 6 -isForBrowser -prefsHandle 4124 -prefMapHandle 4128 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae1d38b5-75a3-4af9-bf92-a66b9f7069bc} 2324 "\\.\pipe\gecko-crash-server-pipe.2324" 4100 1d277258 tab
      4⤵
      PID:1980
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
d3a6cb9de73fc15eaeffdded3ae56a1e

SHA1
fa86b74d0f76007022643e511b40e2ebb40faa85

SHA256
ff288f6fd266271c712615953dfb2dd028ddbd5444162000fe34046791507e3b

SHA512
dfc7637d24703cd464be4860bab7877c30c62f98aeecb50943546cbb0b7fbde75dd3e1e3de3ea10fd5120a3f24a610c380d9489517ad4392f79fda6644133203

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8196a77857fc342d56e313f232b0e77a

SHA1
8eb7f044e30844923c7bad360fc8882dd1d2c5ff

SHA256
f3afb5e3f306e70eb958cf7f66bdc5816b58970ba8d8bd59947213f04d334d59

SHA512
29d751afd7a43f5ab3072792a40c48e89dc37c2330246bf29c83dcfc675ac10f70d32d1b46be0af09080f0731690f4d7a23c27cf583102c1fb6dbccf125cb64e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\887e2622-80bf-411a-8f66-13a9957865fd

Filesize
10KB

MD5
1de0436237f5bcadfa6877c6ab961d7d

SHA1
8a9b878744f5f213c8f72c77ccadb769339b79cd

SHA256
5a71bb71550a305e233cdb084f62994537f13d70e76d7e0f357f00a7c0191fb8

SHA512
69cdba4989cb0dc78475d6dc627b212b70abc5ee81ebf603ec286dc6671ec5e92360b64bfa1d42be514859cb69029f5fe95cc7a75a99ea536c59876b1b3ab5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\e0e6de69-13a3-4be6-a888-62e270504817

Filesize
745B

MD5
d46760154cd059087ed0a78d4e801992

SHA1
fca90fdc869df69fee6553bfc4e18861ff207364

SHA256
dd59cd80853128a19458ecc906a56c8bae3c32714fbea5e1b44b7d13220a9796

SHA512
962ebe7d83e7cea65467c71253d08e549fce689353d9ce421f9e4d5089c0862df0d41cde19a5a3a2bc87c02c6f2b6abe372da488182793a9256f90568b3b7c67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

Filesize
6KB

MD5
a6cbb28e0287226cda7a4bd5d4b194c5

SHA1
561ac38384917d832ab1b0e3cabf1453db76347b

SHA256
b546dbcc5aa102ce4ce81bc77e4843a412b0a624a1f43ef5e9bdb407ae68b7f3

SHA512
e8555d237687ac0bc66e71a45f82aba6afc1e5cbd9bc1a7bca19ff44fe2429931247ee43ee99c922df990ce70985bb67c57ec71f0bb869702e65e0a30106fe63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

Filesize
6KB

MD5
f83bf80e5519168ea6a3a5d8ed1d31c0

SHA1
1e12191010195a25ddc62997a181135f36ab5edc

SHA256
b8e12153a06eeec8db81ff6182be9202d907d83e64c8b6337b88e10d60938ec7

SHA512
638e3e375989fb7df19f33bc0555642bdecbdb8885abc1bc0484aafd370395b2718fff2b0a4e29ecf84d9ce9dfe2588b05e60ae6eb7251bc304eca24189259ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js

Filesize
6KB

MD5
9ba3dbeec6e3874db277e587760f16dd

SHA1
c5d1b9f8146eed18ea0c0ccfcf7ca751e425e6ea

SHA256
17ec649450fcc7d52c43cd5debdbff929367f00754d3df8bc492ed96b410f072

SHA512
e11d5276f72d181e99f5966dc32050eea8c9a829c47162072e8f0d4d2e464d62c80b1cc3db4ad89217c319e53a8f2c6b546a59e3c8b914b74a86b253516a8cb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
2039594720fba287b0c275c7c61d1ef1

SHA1
0d855c300c779c0da1584f6641a0f8474480b364

SHA256
7cf1ff40ed283fec3063ccc6366d68e732b01a49ff91d2bbced47190e20d4b55

SHA512
5acfe6037efc79a2b235378a2c573bad8affa4936dbebfe855a8a80e6dfc0ce07536b65b67af1cb23c6b2599f8d7547273fd14b5794ebdefd9722586d7686410

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
a3ef170eb9cd50c1410098386122e0ab

SHA1
51c66a0469e8c91fc5cd2a99bdf91dd1912d1ee8

SHA256
8d1f989ac460eb5fc0a3021f46e28ee0d7cd3ff168567ac1bff92ddbdc926723

SHA512
68e7a10deefd6dc36d8ef844ad8bb7210530b279d64b47122239f591de196cab44887a4275f6920ce827bccfcc980bcfe68b36cda01602edf490739f6b8d595c

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
55004e60299cd935bc6d6842f78cfe11

SHA1
444ea958f5ef5c7c713f4cec9122e0c464ff5591

SHA256
9fce5773f2186fe38cc4a860367adfec4e3e23b323a89ba3e09e82f8b24bfe1d

SHA512
52028977207db1a04db7dda92adb4a3c7ea4174b73119e57e2457bd5ee323c6835fe60c54a1d68114f3656eee8e663a4c2401eed1f4812c033c800c9169f9bad

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
82fe8752b4dc9fc4d29978094d32b57c

SHA1
3c2a26435cd75f83382fac2ddd16a74f2cc29f30

SHA256
c831e8ceac30805800433d697b6648655c17d1ea72d28206176a059ad3ded26c

SHA512
940c887bb40a93527639363205ca00696d4e44262e82c5c8aaacd0de895f137726c2a54c593291d179af630d10130d53c549ba51d979165bc82c69001fdf616d

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\3978948848.tmp

Filesize
5.7MB

MD5
d49ebf231b636f6bf0d1c024cd9028ee

SHA1
56925b840bff6bf7d77302aa98acebbb11a3e57b

SHA256
3381333538eb5aaefd80651d7c12f66173d2bdc31cf054a46e909049bc2a15d9

SHA512
4f64212fa0296dcec25eb5dbe5b19330a470e81df1c0d415fd6d03e4e7b1e3c97e99389492bee7d98bcbc779e568520a9454bc3daab3a27f5da75b4dc615acb9

Download Submit
memory/1488-239-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1488-241-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2092-249-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2092-247-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-268-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-18-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-315-0x00000000008D0000-0x0000000000E9A000-memory.dmp

Filesize
5.8MB

Download
memory/2120-19-0x00000000008D0000-0x0000000000E9A000-memory.dmp

Filesize
5.8MB

Download
memory/2120-316-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-279-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-224-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-37-0x00000000008D0000-0x0000000000E9A000-memory.dmp

Filesize
5.8MB

Download
memory/2120-318-0x00000000008D0000-0x0000000000E9A000-memory.dmp

Filesize
5.8MB

Download
memory/2120-259-0x00000000008D0000-0x0000000000E9A000-memory.dmp

Filesize
5.8MB

Download
memory/2120-260-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2120-38-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2356-245-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2356-243-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2520-235-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2520-237-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-17-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download