floxif | 3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735ee

Analysis

max time kernel
118s
max time network
94s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Size

5.8MB
MD5

507a010c585df7514045e91677c6c810
SHA1

cc75f96b70e36a17fbf267091cc3bedbd1f7ae60
SHA256

3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735ee
SHA512

f836e75e17d4237d4ef4fed7a70db8cbf77eb89c988da014681b2b4f5050791badf5e53c0c1611bdfbe352edeba332f52342b3a264ab24472034926e9c7f3d09
SSDEEP

98304:NZAmLhPQY9/QORwljvKjq6P4YqN18frP3wbzWFimaI7dlo8f:N/LhPQYxQmwlTQNgbzWFimaI7dlr

Score

10^/10

floxif adware backdoor discovery persistence phishing privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000a000000012255-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012255-1.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2884	regsvr32.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2028	regsvr32.exe
2492	regsvr32.exe
2372	regsvr32.exe
2644	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe /onboot"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000a000000012255-1.dat	upx
behavioral1/memory/2884-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2884-17-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-18-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-45-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-217-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2492-230-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2028-232-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2028-229-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2492-234-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2372-236-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2372-238-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-240-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-252-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-264-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-279-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-317-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "354"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\CLSID	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Token: SeRestorePrivilege	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
Token: SeDebugPrivilege	940	firefox.exe
Token: SeDebugPrivilege	940	firefox.exe
Token: SeDebugPrivilege	2492	regsvr32.exe
Token: SeDebugPrivilege	2372	regsvr32.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
940	firefox.exe
940	firefox.exe
940	firefox.exe
940	firefox.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
940	firefox.exe
940	firefox.exe
940	firefox.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 2884	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	31
PID 2200 wrote to memory of 300	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	33
PID 2200 wrote to memory of 300	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	33
PID 2200 wrote to memory of 300	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	33
PID 2200 wrote to memory of 300	2200	3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe	33
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 300 wrote to memory of 940	300	firefox.exe	34
PID 940 wrote to memory of 2292	940	firefox.exe	35
PID 940 wrote to memory of 2292	940	firefox.exe	35
PID 940 wrote to memory of 2292	940	firefox.exe	35
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36
PID 940 wrote to memory of 2712	940	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe
"C:\Users\Admin\AppData\Local\Temp\3a80eaccf0578865bab1e3b87b009d67031204fb0a6af19dcbc2d77e699735eeN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.0.800758254\2109082465" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26fb2acf-8b7e-4b97-8580-0daefe3a9cfe} 940 "\\.\pipe\gecko-crash-server-pipe.940" 1336 eee3858 gpu
      4⤵
      PID:2292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.1.1223571505\631579013" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d9247ee-a6fd-4c6a-9345-8294d806b274} 940 "\\.\pipe\gecko-crash-server-pipe.940" 1516 e72858 socket
      4⤵
      PID:2712
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.2.1562638222\424692187" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5bd5a6c-e42e-4027-a234-688669e503a7} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2028 1a69ed58 tab
      4⤵
      PID:1548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.3.170029282\1427639754" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3985a8ba-7aa4-4ad7-af5d-3036a613e50f} 940 "\\.\pipe\gecko-crash-server-pipe.940" 2912 1c96b258 tab
      4⤵
      PID:1764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.4.1410839885\61498614" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3724 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff243c9f-b8bf-4615-a368-8588e912a0bb} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3744 1b33fc58 tab
      4⤵
      PID:2504
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.5.120164059\431133079" -childID 4 -isForBrowser -prefsHandle 3860 -prefMapHandle 3864 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d66fced-e327-4108-a2a1-02dfc09c68f2} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3844 201c5058 tab
      4⤵
      PID:2536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.6.1346604767\1124380022" -childID 5 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {affa0509-6394-4230-b2a6-87992f381c2f} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3976 20274458 tab
      4⤵
      PID:2568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="940.7.650785125\1207049650" -childID 6 -isForBrowser -prefsHandle 4240 -prefMapHandle 3968 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {353fe49a-167b-4a7f-a310-553812aa5257} 940 "\\.\pipe\gecko-crash-server-pipe.940" 3988 211e2658 tab
      4⤵
      PID:2284
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
31KB

MD5
059da12a53cc2a3090948e2600f3cc6c

SHA1
1a0e3ef10cf2780475ffb20fc3316f735d9e02b4

SHA256
dd6049ea3ab7525299e6b8e03f3342b7fff34cd7970577293d2764a619057b58

SHA512
7032b0295a82916628b5dbf04c6b57468bd947c668ffc5b59a7151bd047837088c6b0bc660ff0b703c76f58dacac55545c7272760c1b2b0f04ef8e3952fe7424

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
fc36911f968b7cac5e9016d4e26857b9

SHA1
bfcdaae031671ec7d1ba00b18a66d65e577b6a68

SHA256
08e98b1408540a6c0cb5ba5b378d00d35184605e41311f2cfbe790587dd57e83

SHA512
0c178fe9180bbe263b295244aa434f12457671a2af392464dd6565915c0f2d5694ec18f3730915a8a5063acc1aa5457d1258dddbf01aab58ef4ffc8d8ab9976b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\f2cb7dde-ea76-4000-8fa3-991785c9c078

Filesize
733B

MD5
c1c461798ac116592ba90a03361275d3

SHA1
a8da7235e3f7c8cbc63f930c2359a76ccd0e9553

SHA256
a9d03155804faa564b32bc69b81a96e1fd29c2ad61382dd1f4cd8d0b7d891c0d

SHA512
7d946ace0a5312983ca82c638e9fe0c82427f33eca7ac26758d3a3750915a549940354989321f4bd01f44766264c5626c095ea5976b1475a98b9ff09c7803e65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
c364adb51e89f5b405547d0483b4551f

SHA1
abf98c83c27da3e260c14897acdbf45369a262b3

SHA256
f7d587fc4d6d1c6c568433371466ebd48b1e920956dbdc51ba68fdad534492b4

SHA512
c7dee5bd469a6839c0c6356de6f9d99d07fe80fc88881f5b250d733af9a79613d1198fac2db2656aae1d6daf1acc334407505b6044a2bc8d9742ce6c73a31c92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
d0284cc5cc0555d48581c9e49ca59ed8

SHA1
4c55a00d2a72cd5417ac85be88001359b0ebb490

SHA256
a26811232fb55142d07fb2550071b105400d78eb52cb2d6c127eef3a31c60cc6

SHA512
a37a2f0b2712153d7b828a437ababf9b02730416e4819b9d5d91f8f1f1a54723f8fc5c233c208f389d104bd4a6415870eca702e2615c3147550b4cd97c9faa2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

Filesize
6KB

MD5
b50bbd797b7ecc86b17fc349a43edc52

SHA1
3caabed47138ad4a20750986bb169d4fa9fc6637

SHA256
819b78afbbd87793797224a259a56941ad0ea556c9e741ff6bb86762d08416c3

SHA512
685939506e5403c1248671aac5e16ff2d3ea04ebdde9cc16b7d5b0cf75f0365cbdeaec91ad58bcd404f4957aa8a2d21476e20a0ad018d0a641c88f1f428359e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f7c2c5499c8d42c56681a2384f6e1d38

SHA1
653b4d85eac7e4ccdd3edbda79ba49bd127c9c88

SHA256
62e9dc0e8a68905544955f23428fa8a9d0b31d02bbac48749ff4d1a34041a389

SHA512
dfe11d6f53158a539699ca56ba1e167a264c4dc68968d7f68c1dea57828a9eb4041a2c4db55603b47f6e577d061d7cc591f9c81fc3f5978d8f2eb63a91df7ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5c3e657b4d3cb5208d15785ab0158900

SHA1
2b4f42ace46145582639eaea30b51bd1fef7f778

SHA256
986afb4162e0ae1a2e8a8f691d0be42e9b7dd219834a2c9eb771acb93c1e18eb

SHA512
f86b1d1975cf59cf5dc331f8d3d4897525ce8b7fc21a69188b8c703acb43a872649b56ccd196636497aff41168ad920abc2eee89878b234fcdf8cbedda7b27b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3dc733f51b6c47c0e57ae7035b9abacf

SHA1
d4c28a6f9d4bae9e297440a46726a2cb3e2504ba

SHA256
aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1

SHA512
e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
b22e98383bd93e87692c886b231f7fdb

SHA1
cb2bcbb5894f02f50d74081b73f9c843d3595335

SHA256
ea0a5d9c35dd04b15c8ce45024ed57f63cf41660ee77563d67e13bf2c28e282e

SHA512
4ee712f63c6aefd6b006df802e96166234d8318b0faaff5545a0804f032ecc30beb6ea83c6154e01d1100e2dc5bb072f9048c860195fc18337e70b40b4d0c01a

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
ade96db938261148ba2d6cab51a13356

SHA1
3cde2b2c8057d277e54e82f729881b488325e857

SHA256
7168cf9f4d0814508eb2658b98cf676480e87cafab156d9cd317f904d6051137

SHA512
2022e1b026b3dab014f562f72d9ab6f53e9b3fe3ece392c7c222ecc856e138f76e9b4ef962176bbf58d35f031fca31c314d7d65fc55c0041eecdc3bdbef41451

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\A110438898.tmp

Filesize
5.7MB

MD5
6334f630dc7c11bf48e07fe4ea742c7b

SHA1
65b90024fc321fffc0396cee5edf0d8f0a28faf0

SHA256
8fec09143610507b6cf35c49a36186b2e527d419280f9b6dd9675fd40746c31d

SHA512
e1edf8a103c91101e12fca4e44cbd942fa1cf349fff09ed30967a757f953e4f5f52c540492635197c8b59d3ec4ace6d23a275a52ef83ebb9365796d64fcc8758

Download Submit
memory/2028-229-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2028-232-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-217-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-264-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-316-0x0000000000CE0000-0x00000000012AB000-memory.dmp

Filesize
5.8MB

Download
memory/2200-44-0x0000000000CE0000-0x00000000012AB000-memory.dmp

Filesize
5.8MB

Download
memory/2200-45-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-317-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-279-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-18-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-19-0x0000000000CE0000-0x00000000012AB000-memory.dmp

Filesize
5.8MB

Download
memory/2200-252-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-251-0x0000000000CE0000-0x00000000012AB000-memory.dmp

Filesize
5.8MB

Download
memory/2372-238-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2372-236-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2492-234-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2492-230-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-240-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2884-17-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2884-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download