floxif | a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604af

Analysis

max time kernel
117s
max time network
99s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Size

5.8MB
MD5

d32fed1e0d722c0981f748c89aa9e2d0
SHA1

3a500c6c28aea14da842d46dc0cf98193adf6afd
SHA256

a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604af
SHA512

53809a5bf042378685b63c675a40d86caebfe2ac928e888b06f6922d8a6fcd823c41264843085c12213a0fd31865f163273b53b4f2261f5b4334cd8a45482284
SSDEEP

98304:NZAmLhPQYb9QORwlpvKjq6P4YqN18frP3wbzWFimaI7dlo8t:N/LhPQYRQmwlNQNgbzWFimaI7dlR

Score

10^/10

floxif adware backdoor discovery persistence phishing spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000d0000000133b8-1.dat	floxif

A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d0000000133b8-1.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe /onboot"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000133b8-1.dat	upx
behavioral1/memory/3052-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-37-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-205-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-226-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-236-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-254-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3052-291-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "350"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Token: SeRestorePrivilege	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
Token: SeDebugPrivilege	2624	firefox.exe
Token: SeDebugPrivilege	2624	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2624	firefox.exe
2624	firefox.exe
2624	firefox.exe
2624	firefox.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2624	firefox.exe
2624	firefox.exe
2624	firefox.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2744	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	31
PID 3052 wrote to memory of 2808	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	32
PID 3052 wrote to memory of 2808	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	32
PID 3052 wrote to memory of 2808	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	32
PID 3052 wrote to memory of 2808	3052	a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe	32
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2808 wrote to memory of 2624	2808	firefox.exe	33
PID 2624 wrote to memory of 1740	2624	firefox.exe	35
PID 2624 wrote to memory of 1740	2624	firefox.exe	35
PID 2624 wrote to memory of 1740	2624	firefox.exe	35
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36
PID 2624 wrote to memory of 2280	2624	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe
"C:\Users\Admin\AppData\Local\Temp\a6299240d8817978bde5a2985ee040734e4c8fc62f32a241481ab6dd1db604afN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.0.1268105985\194362835" -parentBuildID 20221007134813 -prefsHandle 1256 -prefMapHandle 1248 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad8e7682-d0ad-4fc0-9e9f-6f512e05545b} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 1336 44da258 gpu
      4⤵
      PID:1740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.1.1850240076\475158435" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8635c3f5-cb59-4ec4-b3e0-6be6ff44cca4} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 1564 d72558 socket
      4⤵
      PID:2280
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.2.866027399\1132162499" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e668f4f6-81c0-4880-ace6-eac243e9c3e6} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 2076 446ae58 tab
      4⤵
      PID:2168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.3.1307596891\1552003360" -childID 2 -isForBrowser -prefsHandle 2784 -prefMapHandle 2780 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c88f995-a481-40a4-8cb9-39ff9017df48} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 2796 1bc72858 tab
      4⤵
      PID:1980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.4.598477996\1035632451" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {924f5f3b-cede-4d01-89fd-e54a2dab253c} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 3828 1df99858 tab
      4⤵
      PID:1784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.5.1163375090\1288796856" -childID 4 -isForBrowser -prefsHandle 3968 -prefMapHandle 3972 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b3556b7-f3f8-48b6-97e3-706f7a767047} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 2068 21075b58 tab
      4⤵
      PID:2556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.6.220061410\776012128" -childID 5 -isForBrowser -prefsHandle 4076 -prefMapHandle 4080 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6277632-b50e-4aa1-bd25-42fd7466ea07} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 3924 21077958 tab
      4⤵
      PID:560
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.7.1184668521\1246011272" -childID 6 -isForBrowser -prefsHandle 4292 -prefMapHandle 4296 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b00f4fd-759e-4087-8141-6f4e768336a9} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 4284 2004a958 tab
      4⤵
      PID:2348
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
20002a0fd4a2ef1e83b17fab81f4bfb3

SHA1
2fbde4956ab1a27d70de8a6cbc5dee2c69edd30b

SHA256
d4209e33092fda8cb1b9b4d5491ae6427c1cf4de6eca5f0ca416c8fc1c5fde75

SHA512
bda19248b6cdd8d199bbc396773eebbf569f00843313bbcaae9a6dee0d8507b56bc8fca786426880eb680be137ca52473d5e5bd6ad8d105908b3a739cb0f6117

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
350602acfacec1fbf9eeca0b8876e2c7

SHA1
5ecc080ddaa7a6efefe186222906b676c065d2d1

SHA256
5c899c2c159edbf3021c4075b52d7437e2f94425b78baf1976a5d43d742ab2ce

SHA512
db1c4d94185ce46b156394e18c15567aa233ee325e9f9f7916e2f91749936c22033495d03f44cb6847198b4df73d5dc3ec195b1168f22f4ecff7886edc873e60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\87884413-adaa-4c62-8506-a9c97c9e23bd

Filesize
745B

MD5
d5397bfd15c31833f4b344a56017a36c

SHA1
d69f9d63e04ee0fe047ad62c77d84d7ba51a6db8

SHA256
dc48b92a14c481ae152c2525ad31832898fd11af9f4fd652c2149c0368949a32

SHA512
eea35aac7aa1cb0244d074e698dc4de34b29be7bfb7eb76d16acef9e57fb573b6f6422f70ff585e8c975cbde8645a8d645598771f3600fe0b6b65105bc783c0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\8c2998d6-7280-45d5-9d94-947bd3fd50d4

Filesize
10KB

MD5
598eee3f37fb66c5c6f714e3b360e31e

SHA1
e78499f91dccc4de707d00da07a70f09c75ae749

SHA256
bd58423df4b9e853fa131d244d325ec18959da64c40628e8bb3b966ec089fa5f

SHA512
583715f50b92480e7ebbc375c55f2e2a75d21fd60e38357cf0f3a01802d2476717e8d7af497e44422fe6cd820c3c3a1512fc135227791273eef0267b41cedbe4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
16c0314fd14c713194d217505749c4ed

SHA1
6b94ddfc113eef4cf7855640efc6d2cde723eb53

SHA256
3e6b37b31323b300a7e319cf65b36c2c4393dd884ee5e6f262b3b5b4179ca9ab

SHA512
039b55c5602e67a814c15ad14b2f4e3065c747fc9297ba838f2bef36ddda8769670724efad956241cd0152c7ef56a076d67734b558464237b45d27f52bb7dd02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
ac973224d702955eed810a284c5d1114

SHA1
45ae0393f43a6a90b86055ff100a574d0749c0cf

SHA256
8ee306e0fe00b61a415c8603a995dcb3f401d4323b19759b0add07a9b1873865

SHA512
1a77b43bd42b1aeb261593963ea5a386fc61a43f132658748d6b3a1f6c552bcf3d3ac4edf63ae4dae4206777a9e0f33b50c2225eb97f62fe59f7ad092d159b12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
368e98a494de00aa1c22d5d48f2b2108

SHA1
250b53a59b61aba7cadea655673a74f8ef8c2de9

SHA256
f99e2d027d864a920336cfe7d2ab7ad4133617f733f92b01b8a9db474c30ef57

SHA512
15a4e49c67d7758a923e6022dabb331ebf8fea66fb958a3444fde310ad9bd4a37ef52f5724e3084e2166ec988de6ee5bf612afac6824299bc299bd1b42a5dd89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
033ee4baf5d46bdd88b0ef4317b6d252

SHA1
93939b43594957a1d07176fa8fd3e41389f66d6a

SHA256
228e8798d12ea4cdc5e84e737d87baf3dcda8e5b6c8e17ac8862275cc824d20d

SHA512
0fc2ba0d2d7a3db8b2266a9c518e6254ade2747c0a202bfd1444f8c0fa579bc50b140f72dc02ca0d5d2492758e987e2e3e79f50f5b07e196b7fc996a2ce0bd40

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
080bb8b046bf04a2f09baa07dd1655a0

SHA1
9c4a329bd44d3801231e6b5454bb6f9810dc0e97

SHA256
fd3aa29c7b36fff0d713c4a65ac668b7d07b12c5247c543ebb79d3474fa1a2fa

SHA512
d9de5420ce7bee492494a9563dc4d7c978b13efe760a0a8e124819e0fb2729b68833dda9f71a5f07462da763338a46461158a87c91fc51ec285401e7b874edd4

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
2cb8ef290675c30d372c32bdc067c297

SHA1
1ed605f5f48386db45555f0dde454a535b593b89

SHA256
7cd215f9c955d29f1342141b76c35d9450f419616fd09f4002d1495d9bfaa468

SHA512
9af79cfed368b583ec7c96ea80c3d31079beabb08bd547c16465edc87aa4535fa2bc531bea2bebf386035598f5b3e5bf8cdc7aa0b1db513b996bbf4b7b72f617

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\41D17F8BEC.tmp

Filesize
5.7MB

MD5
6334f630dc7c11bf48e07fe4ea742c7b

SHA1
65b90024fc321fffc0396cee5edf0d8f0a28faf0

SHA256
8fec09143610507b6cf35c49a36186b2e527d419280f9b6dd9675fd40746c31d

SHA512
e1edf8a103c91101e12fca4e44cbd942fa1cf349fff09ed30967a757f953e4f5f52c540492635197c8b59d3ec4ace6d23a275a52ef83ebb9365796d64fcc8758

Download Submit
memory/3052-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-205-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-204-0x0000000000300000-0x00000000008CB000-memory.dmp

Filesize
5.8MB

Download
memory/3052-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-226-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-13-0x0000000000300000-0x00000000008CB000-memory.dmp

Filesize
5.8MB

Download
memory/3052-236-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-225-0x0000000000300000-0x00000000008CB000-memory.dmp

Filesize
5.8MB

Download
memory/3052-37-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-36-0x0000000000300000-0x00000000008CB000-memory.dmp

Filesize
5.8MB

Download
memory/3052-254-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-291-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3052-290-0x0000000000300000-0x00000000008CB000-memory.dmp

Filesize
5.8MB

Download
memory/3052-294-0x0000000000300000-0x00000000008CB000-memory.dmp

Filesize
5.8MB

Download