floxif | b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Size

5.8MB
MD5

ad2c5d68e12cbb4277848c2de768fdd9
SHA1

e766a77c1109fd6eb00e330c1e9b7b3294de6ff6
SHA256

b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3
SHA512

8ff8eba51c2e8a84e2734b71ed8f5b2c2fb1045927a7b902d2e2e10abecc80964e35b724a48861dbcd14ea86859dabb4f6ecd2d3c1fd1a5203baf335051d2fc4
SSDEEP

98304:yk4kuuj5ZLWjlcP4bj218frP3wbzWFimaI7dloDJ:y5uj5ZLIlHjXgbzWFimaI7dlwJ

Score

10^/10

floxif adware backdoor discovery persistence phishing privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0005000000010300-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000010300-1.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2756	regsvr32.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
1008	regsvr32.exe
1872	regsvr32.exe
2168	regsvr32.exe
2852	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe /onboot"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000010300-1.dat	upx
behavioral1/memory/2116-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2756-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2756-17-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-18-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-40-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-213-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1008-224-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1008-226-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2168-230-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1872-228-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2168-237-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1872-235-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2852-239-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2852-240-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-253-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-259-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-270-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-307-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "355"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Wow6432Node\CLSID	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Token: SeRestorePrivilege	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
Token: SeDebugPrivilege	1992	firefox.exe
Token: SeDebugPrivilege	1992	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1992	firefox.exe
1992	firefox.exe
1992	firefox.exe
1992	firefox.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1992	firefox.exe
1992	firefox.exe
1992	firefox.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 2756	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	31
PID 2116 wrote to memory of 1628	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	33
PID 2116 wrote to memory of 1628	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	33
PID 2116 wrote to memory of 1628	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	33
PID 2116 wrote to memory of 1628	2116	b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe	33
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1628 wrote to memory of 1992	1628	firefox.exe	34
PID 1992 wrote to memory of 1308	1992	firefox.exe	35
PID 1992 wrote to memory of 1308	1992	firefox.exe	35
PID 1992 wrote to memory of 1308	1992	firefox.exe	35
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36
PID 1992 wrote to memory of 1660	1992	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe
"C:\Users\Admin\AppData\Local\Temp\b9dc2275d075110c2e10f75afd304791655695208cd617a4c331e1a4897eb6e3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.0.598050158\225750739" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d90593-3ad2-4f2f-81e5-0153f4a825ce} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 1308 123d7358 gpu
      4⤵
      PID:1308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.1.477051797\1575742718" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {538aab5b-3e8a-467b-8e34-8c2725427c61} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 1504 e72258 socket
      4⤵
      PID:1660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.2.1460191745\1788708155" -childID 1 -isForBrowser -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1b10fe-f235-4fe1-8d9d-61c66fbe9fd0} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 2116 1235aa58 tab
      4⤵
      PID:1500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.3.2120649903\422204075" -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 2792 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c12af7-8d66-4670-bc0e-31d60bd82df9} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 2808 e62858 tab
      4⤵
      PID:1852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.4.960735675\1541752928" -childID 3 -isForBrowser -prefsHandle 3668 -prefMapHandle 3604 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcaa66e9-a294-42c5-a436-d941049b1b5f} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 1084 1f107258 tab
      4⤵
      PID:2764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.5.1539294018\514916049" -childID 4 -isForBrowser -prefsHandle 3784 -prefMapHandle 3788 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc6efaa1-9307-4da2-97f0-5ad922da35c4} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 3772 1f105458 tab
      4⤵
      PID:1328
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.6.1774730079\1503928556" -childID 5 -isForBrowser -prefsHandle 3852 -prefMapHandle 3796 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {588e7708-90e5-4057-a6d0-a62ba7a1eef7} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 3840 1f107558 tab
      4⤵
      PID:2568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1992.7.2045315682\1608058536" -childID 6 -isForBrowser -prefsHandle 4208 -prefMapHandle 4232 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29375a60-dfcb-423b-84b4-fe73624af6ed} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 4196 20fe2058 tab
      4⤵
      PID:2412
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1008
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
c21ced9dfe9c5e8be8548bab58299f11

SHA1
790eefa00f71cb96d8b55322f129082ffdecbf46

SHA256
9163cb7669a92296cffdf39b78c21c3872dddd7edf4d198530ae410972d7e5eb

SHA512
4ea7da4e35279c760b5627f9ae79ff43b15b43f586c5763ab9491ec63ae2c0d34d8e8a354b4f5fecd2567db3b98d627562b0982cbe81b15e689097151159f0e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
1475d0754ebe56b15ec93b0319693896

SHA1
5387853e7578ab5c54bf840520a86aa3282c4b50

SHA256
ad5155d6a10763d61de7a86b09b6b1f5a0dd70b691ad76b652d57f34fd467dbe

SHA512
cee55ab62ab07fae0347d019e88652e10128391972b19bb2c9ad88311a703632479ee44b2e9a8e764cb9702cb4552b98d4a6bb61de7275ec9a95d357d8055e51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\0a76a497-ae20-4b01-a6aa-f6c13e7cb2a4

Filesize
12KB

MD5
cbb86ebbe7b3505a947874e82108b32d

SHA1
9ebc1ed87bd5c37827723b9a5ad352cc6e2d3e8f

SHA256
6b6b473309ae4046745068f833f42e27eafa4e8be5304d2e1235e30dc2a25e3d

SHA512
df630a95f6e739c5c3c5af4d7aae12afd3f47b4e5848aa45e30562d7623519358726ab339353752a017ff315d4a4abe23860b80c6348cbfd74dc329abcd1b218

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\963797b4-7dca-4a58-b3c8-6bed9b83d07b

Filesize
745B

MD5
fa35ab6ab9c65e5648ba5b9619938beb

SHA1
d84c06055e4609c818902c78c3cb116e94bec3db

SHA256
bca5d82e8a83b57a7e7bb647561560870b6245fd7f9c6c20b0becad65062a205

SHA512
1bef10dbedcaf8fd141d1a82435fd6f7df635ab8e33ae3a77094b2644a8739e8dd38e84c21702da5dcf7d47bc002704cf382d0cb3c9d9d894790c0969f2c4dca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
24778af77d96e3a25ca46afcc668c6dc

SHA1
fbbf132a21b113f7296aeaaabb433d50d253d94d

SHA256
27fdc4cb75fdc50bb7a5989c651da8488b3c90463c049355041569b9b6da5060

SHA512
0ed06b9fd538054a9d0e7c1c479442659e520bc39f0994f8c23f5aea7246b6836a4b548f34ee260e1808c0713efb494b619a9e23789db5c8bcb7cd84fac428ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs-1.js

Filesize
6KB

MD5
71c9989fd4c5fde55c840976b499da66

SHA1
5d5a2d65dd61bf514c303c7d17d193f233eafc21

SHA256
4c1dc800b2268411e3eed5b8cb3b71b97e9ba6fcd25dfeb594588e9283857346

SHA512
43b491486939760a4e1174373c49ebce52db0660d57aa857c632097442d6548c13b2362625dd8daa458050f1148e5f8cd150fea9495cdff51365b7a72d36a6ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs.js

Filesize
6KB

MD5
300c0d327dbdc236dc98588e5c436336

SHA1
f95e10b23efc19b7d3d63b2191631b50639f6ef9

SHA256
8734aa3c1b7ef7a3cecc9c141ba93f0d0ee1a948ebe12e89963f2f482dc497cf

SHA512
016945dd80ec1f374df78a00fa36b2524b5d90eca4a57dbce213f232c7a056c49b4568930caa664d8aa7f63d7d5b6f89cef4564d96601d59c39c7efc6ab37002

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0a489f92abea5189a0bd5a20d8e9f7fe

SHA1
6f253cd0a8eb283afff36bbbe38127f9fdee9661

SHA256
4d5f8b1482c2c85317a01ad7150e20a5e923dfbb094a0c9cf4a14a0fca83aa82

SHA512
73834beb9b14d61c15bb1cee38bb689ed13b7995b2a5c6ec2c7ded08ca7dad81add993e15ac73fe74777eef0e1272f969780395b5c7f03962868c69978ab379e

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

Filesize
261KB

MD5
09da6d95b2363bc3709317c772a89296

SHA1
d24ad1fe7a232b6150e3cab805e2fd348e0faf28

SHA256
34c037907bfe0a8170d70ab100d6dfe670962caceacbf68b5249185f7079f883

SHA512
eed73acb7bac6920e76acac97303f9de13cb3458f525b24500c2b0a299e140149759b4442c74df94d49e0b98d885a25801f6ba7a954ce0c68bb0dfb9c1a3d5ae

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

Filesize
1.3MB

MD5
9e2ab80d8f47c81ca67b3155121ef3e7

SHA1
9bdbaa4e5ba7d28a7e1f841c94755dcde88f56bf

SHA256
345abb2fd78c3a418e575379c9c1eef099575adc9eea367767bc574001bf82b9

SHA512
35f48b970a1f1475120e7fa57a713daf6b1e11891a314e25c825c1cb4f00862607cfe59f3f7ef9f61d637414a58acb6d5c94378063e6f7afa4fc32bd51764ff2

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\30D0870844.tmp

Filesize
5.7MB

MD5
0c6f401459414a1c6b769869c68967ad

SHA1
1ba3ae1a0e2c5a2c9f0d7d7159766d13861f6d32

SHA256
0835f094fcef9bc154ea8834578c815e3004a1b1891182f43dc077e17bd5f13f

SHA512
1d731e30006704b8ccde65e42a75451f4eb07b456f6ca1f436f8b981046bb23fb288ef1549cedb277200cab31e5e913c1c26b61cacd3f8ec47adf460f68f9275

Download Submit
memory/1008-226-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1008-224-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1872-228-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1872-235-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1872-233-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/2116-213-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-259-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-317-0x0000000000250000-0x000000000081A000-memory.dmp

Filesize
5.8MB

Download
memory/2116-40-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-306-0x0000000000250000-0x000000000081A000-memory.dmp

Filesize
5.8MB

Download
memory/2116-19-0x0000000000250000-0x000000000081A000-memory.dmp

Filesize
5.8MB

Download
memory/2116-18-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-307-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-270-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-39-0x0000000000250000-0x000000000081A000-memory.dmp

Filesize
5.8MB

Download
memory/2116-253-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-252-0x0000000000250000-0x000000000081A000-memory.dmp

Filesize
5.8MB

Download
memory/2168-237-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2168-230-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2756-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2756-17-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2852-240-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2852-239-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download