floxif | 29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274af

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Size

5.8MB
MD5

36e98e5ec458447058a1186301513da0
SHA1

32dfb7cedde7155748ca6540f06148471d440f79
SHA256

29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274af
SHA512

43f56a0e9851f7e3a3db6b76b1435082e9a6eba76ccf008389efd31c39037beb474f2bb585ac289d67a31940ac4c1d4dd31a515c8f2d037397b451fa4b68ce8c
SSDEEP

98304:lU/lIqbln59aY1+Xo/P4I4Zz18frP3wbzWFimaI7dlo0tA:lMltd50Y1cKLgbzWFimaI7dlhA

Score

10^/10

floxif adware backdoor discovery persistence phishing spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000c000000012263-1.dat	floxif

A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000012263-1.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe /onboot"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012263-1.dat	upx
behavioral1/memory/2084-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-29-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-206-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-226-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-232-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-253-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2084-290-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\CLSID	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "351"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Token: SeRestorePrivilege	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
Token: SeDebugPrivilege	2648	firefox.exe
Token: SeDebugPrivilege	2648	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2648	firefox.exe
2648	firefox.exe
2648	firefox.exe
2648	firefox.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2648	firefox.exe
2648	firefox.exe
2648	firefox.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2852	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	31
PID 2084 wrote to memory of 2608	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	34
PID 2084 wrote to memory of 2608	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	34
PID 2084 wrote to memory of 2608	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	34
PID 2084 wrote to memory of 2608	2084	29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe	34
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2608 wrote to memory of 2648	2608	firefox.exe	35
PID 2648 wrote to memory of 1636	2648	firefox.exe	36
PID 2648 wrote to memory of 1636	2648	firefox.exe	36
PID 2648 wrote to memory of 1636	2648	firefox.exe	36
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37
PID 2648 wrote to memory of 1720	2648	firefox.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe
"C:\Users\Admin\AppData\Local\Temp\29254e947fb0a8c436557c9eab354e34d16555733a59beb582b134ea24d274afN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.0.1661492450\1677358890" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce13e4a9-b85a-47d2-88d1-e17b8ac99132} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 1292 47d5b58 gpu
      4⤵
      PID:1636
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.1.216774754\305145451" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5046047-0514-41ce-9809-abf99fbbd74a} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 1504 e72b58 socket
      4⤵
      PID:1720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.2.1196199701\536967483" -childID 1 -isForBrowser -prefsHandle 1976 -prefMapHandle 1784 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd2a6696-e578-4cf5-9814-6226eeb9a938} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 1756 19fbf058 tab
      4⤵
      PID:2124
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.3.677197333\1183440667" -childID 2 -isForBrowser -prefsHandle 2916 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {216d6a34-122e-44b6-b601-fb5f6ff357e5} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 2928 1cfbbf58 tab
      4⤵
      PID:1932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.4.181744382\141593553" -childID 3 -isForBrowser -prefsHandle 3668 -prefMapHandle 3620 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf54ff1-17da-4052-a18f-3eb9b320677f} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 3680 1fe37958 tab
      4⤵
      PID:2400
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.5.545914043\716469769" -childID 4 -isForBrowser -prefsHandle 3796 -prefMapHandle 3800 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8f015d6-cf47-4d9c-ae25-f5e56bc241f3} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 3784 1fe36d58 tab
      4⤵
      PID:1648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.6.194957087\1719545437" -childID 5 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c03ef59-0aa1-44dd-ade1-95b037c7f38f} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 3872 1fe37058 tab
      4⤵
      PID:1428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2648.7.838045278\1118595043" -childID 6 -isForBrowser -prefsHandle 4052 -prefMapHandle 2228 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddf73d81-4ab4-43de-9d20-23f1ad7aa68c} 2648 "\\.\pipe\gecko-crash-server-pipe.2648" 4140 11ff2558 tab
      4⤵
      PID:892
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
868cfd32f645da43951f3f68ad7abf68

SHA1
66e4706db3773fd9e44cf251e711a1aeaffee2a2

SHA256
9f7ec34c24bba47a6ef1b0ed16271c4a80512052d97a7e7eb2005a1f41af4445

SHA512
49af8bb31beecafd12ab8c1ff1b42ceac7564a378fe7854904ddd9fa71618f6bc45b992f4a0df8dd9e6bc5180e2c11113a6ed8e69ec79c35f8df1163c4c32dc5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c09bf2770e726c022f76e0564dda8077

SHA1
e6688be72b7f6951e287122cea656c0002d1013f

SHA256
2093dae767758afd648bfc36d76ed407136fd03af7be0a81ed4248fd03f3437a

SHA512
3a6e7b127500dac0f282e43e51c834a79d7275b5786919e68957e88569f174330bc7236016b6e0bfd480d02ea723b437df63afb6d13c7f2b14b558dd37308770

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\pending_pings\64772452-426c-49c2-9ee3-b9b4bfbe9c67

Filesize
11KB

MD5
f1b83cf9353defed55751dc83a4937a9

SHA1
caea32dba6c71d2b271b3e7ad4d9b40631f003e0

SHA256
4a92861dac57f5ebf21a7c1e27f7e837d191bbcd700fe2477c2ac0af7263a01d

SHA512
31a23af7146825b0f2ece09d3707fe9c0819c5764f070a8de74b8adf9ab3c817782c10cc7bac03cb7ba35e759b78d1e2df074bc4f0af76a16b80a09435e22fe7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\pending_pings\f2bfa5c4-2a31-443d-bace-bcd318b6ca9e

Filesize
745B

MD5
957edce691fc5763ce3876fd59e7a1b4

SHA1
36e468a4fb1e450ab8c802627104e2600ecb73c9

SHA256
0de553cbd048fb713fbf0b440549904f4acb68a7f47c486d2b35b64059f965bc

SHA512
852ddcc672e498e4816deab4b9db88cc3c70569dc4c3cca74a570e94c81213da104d8545f9747545c5de7462955bff9ac53e745b8d4ec5420925b67a58aacf33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs-1.js

Filesize
6KB

MD5
972ea48c82a7c8359931bcc6be219a16

SHA1
55671acf3435d190a7d38b7ac8dcfd7fd9b04cc4

SHA256
9e6973afed736415ccdae96514440fd16f21172608e8c3e082e0b0a2cae335fc

SHA512
86277cc8e46aca69ff2cd2fbc1daa2515d23cc4ed3c1d6d247ca88e9de153eb0de37290477719dbdc73b12da8cb1303ec5a1397bdcd3da19cc2a4a7d5a5d79e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs-1.js

Filesize
6KB

MD5
238981797b52222cae48754ebf05f18e

SHA1
749c6ee7814b47bfad881d0583bd0ec741ade6c2

SHA256
2696ea90752e565bbd8d8663bcdf885df162105ecac774c8863745b81ed10a20

SHA512
9673363ff1a9bec6469a1780296b0bc210e1541d7e8c40df7cd7e127e3c8d759fc8a7cf4c7761cad9414449423915d6e1ead544c3f6712ec18d8691e516ef5b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
9604c8253c834b11dae4cdf930fa9ee5

SHA1
e113308a3db2b818e9d8b9668e635afe08a8d48b

SHA256
b2e887f8aeb9b2840d661a5a93435328c77983457d5a25def27e7b76884fcc68

SHA512
18ea891c0ff62de9841352a90c4857c1ffaf0edb142c2b84418bd40d60bd05c483e21986df0ef3557b60bd7cce9dec651ee567ad638f46b2fa7e79e7fea3f884

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d01be461e20075d02c831f3977403a26

SHA1
1285702e143c40b75fe31126b2fd3b514d66c319

SHA256
34fc1512f6be5fa2362677749487cd3c050f987a6fd297cecbdb3ba0134192e6

SHA512
933e4ff44571b788c2d96d9c9f6c045078cc029b3bdbc79a6d7f5d2975f76743ebec439706fbf5ba3a2fbcbc9412cb9e44d2e151e3c70bdfa849960dda071770

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
515e2f7d85a301734a8454751f3ec92a

SHA1
254a577685d9a57011d6be3f35518f2b8071ce2b

SHA256
4f4cd90c3b41000d0a97ca5ee8861aa41e3b3dd7bd987bb8aace0a1b3d981aaa

SHA512
9cae083ec5b25ca7a33c864a92423c8d1a087cb901c02f3f2923202eedcf8c182be592e97362abc07b29e134c78ae8f28bc558c71cacc21a5bf0d00b0544541c

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
dbebe3b40510dbf30603a5adb34527e3

SHA1
9f773b8fd95db1583a8ccc21f3f1bd9699878d83

SHA256
e430cc49f743a2742b9e51a2e85205af6cd0e47c5c77bbe567400a68fbc1d04b

SHA512
75f68132f6bbc2d27a8d2de545590f0a546aa137278bd2d0dc9bd58f81cee6ded40aa5dc37c2c9fa63b4413d532e97e87763b022612b7662fea692fa8ff6775e

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\A2F38D8824.tmp

Filesize
5.7MB

MD5
7e434fc2d3049f71c545ed53a733a9b7

SHA1
e051e709cedbab9c36922f686ba564e341bdb6ac

SHA256
92bab1736405fee517c09a1cd4cb27b207f9ef0f44f772b76237ceef9eecd4e9

SHA512
fdb91331933b9f35963e7655e1d271cae376f303369d99768ff27ce8b51542c3889a06912a240b078a5d880bb9bad4cb0633c2fc93a1bcc69c30d54af187792e

Download Submit
memory/2084-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-206-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-13-0x0000000000EA0000-0x0000000001468000-memory.dmp

Filesize
5.8MB

Download
memory/2084-226-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-225-0x0000000000EA0000-0x0000000001468000-memory.dmp

Filesize
5.8MB

Download
memory/2084-28-0x0000000000EA0000-0x0000000001468000-memory.dmp

Filesize
5.8MB

Download
memory/2084-232-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-29-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-253-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-290-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2084-289-0x0000000000EA0000-0x0000000001468000-memory.dmp

Filesize
5.8MB

Download