Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe
Resource
win11-20250610-en
General
-
Target
2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe
-
Size
11.9MB
-
MD5
0f57924ddfed66ab424aa46d47be0828
-
SHA1
812eded4562ce1aa45095522a4918e90fedb3eb2
-
SHA256
c306ae8692b0d6a8452fef14695e3ce3d372a9ce425319ebbeab468ebb1def02
-
SHA512
2c06f9aa212951cde4cb564c49050f81c9d284853ba14a962fcbcb58198c0b4df9f6c49f6399f4e524c90013df754cc7a800a4910a3c3050172311824a63639d
-
SSDEEP
196608:5X5pDStUHl2BAXdApST0+/WFNWcfQyaPVUczzUrexfwdNZGBAcBcD2peihgJaFjA:/lkBaAmzuWfnyeuTZgcKp9k6A
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\idmwfp.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\idmwfp.sys DrvInst.exe -
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation Uninstall.exe Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation IDMan.exe Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation Uninstall.exe Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation IDM1.tmp Key value queried \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation IDMan.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 15 IoCs
pid Process 1584 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 2988 icsys.icn.exe 4480 explorer.exe 4524 IDM1.tmp 4760 spoolsv.exe 4720 svchost.exe 4716 spoolsv.exe 4884 explorer.exe 4896 svchost.exe 6064 idmBroker.exe 5240 IDMan.exe 4452 Uninstall.exe 4440 MediumILStart.exe 4600 IDMan.exe 4492 Uninstall.exe -
Loads dropped DLL 39 IoCs
pid Process 4524 IDM1.tmp 4524 IDM1.tmp 4524 IDM1.tmp 4524 IDM1.tmp 1604 regsvr32.exe 5260 regsvr32.exe 868 regsvr32.exe 3552 regsvr32.exe 2424 regsvr32.exe 2240 regsvr32.exe 5240 IDMan.exe 5240 IDMan.exe 5240 IDMan.exe 5240 IDMan.exe 5240 IDMan.exe 1640 regsvr32.exe 5352 regsvr32.exe 5648 regsvr32.exe 2128 regsvr32.exe 5928 regsvr32.exe 3932 regsvr32.exe 3812 regsvr32.exe 1768 regsvr32.exe 3516 Process not Found 3516 Process not Found 1616 regsvr32.exe 3484 regsvr32.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 5068 regsvr32.exe 4032 regsvr32.exe 4536 regsvr32.exe 232 regsvr32.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" RUNDLL32.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" RUNDLL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" IDM1.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" IDM1.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} IDM1.tmp -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\idmwfp64.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\SET69A3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\idmwfp.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e} DrvInst.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\SET69A3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\idmwfp.inf DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\SET6992.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\SET6992.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\SET69A4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ac4d359a-d865-6f44-bc0c-b053c1bd1d6e}\SET69A4.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_ro.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmtdi.cat IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\grabber.chm IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_bg.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmwfpAA.sys IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmbrbtn.dll IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmwfp.inf IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_ptbr.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_kr.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_chn.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_mm.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_sw.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_ru.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_uz.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_hu.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_no.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IDMFType.dat IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_kr.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_bn.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\license.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\template.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\defexclist.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmindex.dll IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_gr.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\openssl-license.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IDMan.exe IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmcchandler2.dll IDMan.exe File created C:\Program Files (x86)\Internet Download Manager\idmcchandler2_64.dll IDMan.exe File created C:\Program Files (x86)\Internet Download Manager\Uninstall.exe IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_src.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_cz.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_cz.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_hi.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_dk.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_ptbr.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmwfp64.sys IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_iw.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_id.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmfsa.dll IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\template_inst.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_sk.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_cht.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_jp.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_iw.txt IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_de.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_sk.lng IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi IDM1.tmp File created C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe IDM1.tmp -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log RUNDLL32.EXE File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\INF\setupapi.dev.log RUNDLL32.EXE File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MediumILStart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language idmBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IDM1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IDMan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IDMan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" IDM1.tmp Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" IDM1.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote IDMan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights IDM1.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDM1.tmp Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppName = "IDMan.exe" IDM1.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" idmBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B} idmBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe" idmBroker.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" IDM1.tmp Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDM1.tmp Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} IDM1.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3" IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights idmBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" IDMan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDM1.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy idmBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDM1.tmp Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B} IDM1.tmp Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote IDMan.exe Key created \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop IDMan.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CurVer\ = "IDMIECC.IDMIEHlprObj.1" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID IDMan.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47} IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\TypeLib\Version = "1.0" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ProgID IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42FD0451-B21A-4EE0-8B4F-6F2DA05F6FD1} IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE\AppID = "{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7} IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}" IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID\ = "IDMIECC.IDMIEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A} IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ = "LinkProcessor Class" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\ = "IDMDwnlMgr Class" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID\ = "idmBroker.OptionsReader.1" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\ = "IDMDwnlMgr Class" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ = "PSFactoryBuffer" IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ = "VLinkProcessor Class" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\InProcServer32\ThreadingModel = "Both" IDMan.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\ = "IDMEFSAgent Class" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\LocalizedString = "@C:\\Program Files (x86)\\Internet Download Manager\\idmfsa.dll,-100" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42FD0451-B21A-4EE0-8B4F-6F2DA05F6FD1}\NumMethods IDM1.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\TypeLib\Version = "1.0" IDM1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D} IDMan.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4480 explorer.exe 4720 svchost.exe -
Suspicious behavior: LoadsDriver 12 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4524 IDM1.tmp Token: SeRestorePrivilege 5240 IDMan.exe Token: SeAuditPrivilege 4708 svchost.exe Token: SeSecurityPrivilege 4708 svchost.exe Token: SeRestorePrivilege 2688 DrvInst.exe Token: SeBackupPrivilege 2688 DrvInst.exe Token: SeDebugPrivilege 2160 firefox.exe Token: SeDebugPrivilege 2160 firefox.exe Token: SeBackupPrivilege 5240 IDMan.exe Token: SeDebugPrivilege 4032 regsvr32.exe Token: SeDebugPrivilege 4032 regsvr32.exe Token: SeRestorePrivilege 4792 DrvInst.exe Token: SeBackupPrivilege 4792 DrvInst.exe Token: SeDebugPrivilege 228 RUNDLL32.EXE Token: SeDebugPrivilege 228 RUNDLL32.EXE Token: SeDebugPrivilege 232 regsvr32.exe Token: SeDebugPrivilege 232 regsvr32.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 5240 IDMan.exe 4600 IDMan.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 2160 firefox.exe 5240 IDMan.exe 4600 IDMan.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 4480 explorer.exe 4480 explorer.exe 4760 spoolsv.exe 4760 spoolsv.exe 4720 svchost.exe 4720 svchost.exe 4716 spoolsv.exe 4716 spoolsv.exe 4884 explorer.exe 4896 svchost.exe 4884 explorer.exe 4896 svchost.exe 5240 IDMan.exe 5240 IDMan.exe 4452 Uninstall.exe 2160 firefox.exe 5240 IDMan.exe 5240 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4492 Uninstall.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe 4600 IDMan.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5884 wrote to memory of 1584 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 89 PID 5884 wrote to memory of 1584 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 89 PID 5884 wrote to memory of 1584 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 89 PID 5884 wrote to memory of 2988 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 90 PID 5884 wrote to memory of 2988 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 90 PID 5884 wrote to memory of 2988 5884 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 90 PID 2988 wrote to memory of 4480 2988 icsys.icn.exe 91 PID 2988 wrote to memory of 4480 2988 icsys.icn.exe 91 PID 2988 wrote to memory of 4480 2988 icsys.icn.exe 91 PID 1584 wrote to memory of 4524 1584 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 92 PID 1584 wrote to memory of 4524 1584 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 92 PID 1584 wrote to memory of 4524 1584 2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe 92 PID 4480 wrote to memory of 4760 4480 explorer.exe 93 PID 4480 wrote to memory of 4760 4480 explorer.exe 93 PID 4480 wrote to memory of 4760 4480 explorer.exe 93 PID 4760 wrote to memory of 4720 4760 spoolsv.exe 94 PID 4760 wrote to memory of 4720 4760 spoolsv.exe 94 PID 4760 wrote to memory of 4720 4760 spoolsv.exe 94 PID 4720 wrote to memory of 4716 4720 svchost.exe 95 PID 4720 wrote to memory of 4716 4720 svchost.exe 95 PID 4720 wrote to memory of 4716 4720 svchost.exe 95 PID 4596 wrote to memory of 4896 4596 cmd.exe 101 PID 4596 wrote to memory of 4896 4596 cmd.exe 101 PID 4596 wrote to memory of 4896 4596 cmd.exe 101 PID 4932 wrote to memory of 4884 4932 cmd.exe 100 PID 4932 wrote to memory of 4884 4932 cmd.exe 100 PID 4932 wrote to memory of 4884 4932 cmd.exe 100 PID 4524 wrote to memory of 1604 4524 IDM1.tmp 118 PID 4524 wrote to memory of 1604 4524 IDM1.tmp 118 PID 4524 wrote to memory of 1604 4524 IDM1.tmp 118 PID 4524 wrote to memory of 5260 4524 IDM1.tmp 119 PID 4524 wrote to memory of 5260 4524 IDM1.tmp 119 PID 4524 wrote to memory of 5260 4524 IDM1.tmp 119 PID 4524 wrote to memory of 868 4524 IDM1.tmp 120 PID 4524 wrote to memory of 868 4524 IDM1.tmp 120 PID 4524 wrote to memory of 868 4524 IDM1.tmp 120 PID 4524 wrote to memory of 6064 4524 IDM1.tmp 121 PID 4524 wrote to memory of 6064 4524 IDM1.tmp 121 PID 4524 wrote to memory of 6064 4524 IDM1.tmp 121 PID 1604 wrote to memory of 2424 1604 regsvr32.exe 122 PID 1604 wrote to memory of 2424 1604 regsvr32.exe 122 PID 5260 wrote to memory of 3552 5260 regsvr32.exe 124 PID 5260 wrote to memory of 3552 5260 regsvr32.exe 124 PID 868 wrote to memory of 2240 868 regsvr32.exe 125 PID 868 wrote to memory of 2240 868 regsvr32.exe 125 PID 4524 wrote to memory of 5240 4524 IDM1.tmp 126 PID 4524 wrote to memory of 5240 4524 IDM1.tmp 126 PID 4524 wrote to memory of 5240 4524 IDM1.tmp 126 PID 5240 wrote to memory of 1640 5240 IDMan.exe 127 PID 5240 wrote to memory of 1640 5240 IDMan.exe 127 PID 5240 wrote to memory of 1640 5240 IDMan.exe 127 PID 5240 wrote to memory of 5352 5240 IDMan.exe 128 PID 5240 wrote to memory of 5352 5240 IDMan.exe 128 PID 5240 wrote to memory of 5352 5240 IDMan.exe 128 PID 1640 wrote to memory of 5648 1640 regsvr32.exe 129 PID 1640 wrote to memory of 5648 1640 regsvr32.exe 129 PID 5240 wrote to memory of 5928 5240 IDMan.exe 130 PID 5240 wrote to memory of 5928 5240 IDMan.exe 130 PID 5240 wrote to memory of 5928 5240 IDMan.exe 130 PID 5352 wrote to memory of 2128 5352 regsvr32.exe 131 PID 5352 wrote to memory of 2128 5352 regsvr32.exe 131 PID 5240 wrote to memory of 3812 5240 IDMan.exe 132 PID 5240 wrote to memory of 3812 5240 IDMan.exe 132 PID 5240 wrote to memory of 3812 5240 IDMan.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5884 -
\??\c:\users\admin\appdata\local\temp\2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exec:\users\admin\appdata\local\temp\2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:2424
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5260 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:3552
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:2240
-
-
-
C:\Program Files (x86)\Internet Download Manager\idmBroker.exe"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:6064
-
-
C:\Program Files (x86)\Internet Download Manager\IDMan.exe"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5240 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"6⤵
- Loads dropped DLL
- Modifies registry class
PID:5648
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5352 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"6⤵
- Loads dropped DLL
- Modifies registry class
PID:2128
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"6⤵
- Loads dropped DLL
- Modifies registry class
PID:3932
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"6⤵
- Loads dropped DLL
- Modifies registry class
PID:1768
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html5⤵PID:2220
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html6⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2160 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2100 -initialChannelId {cd8558fc-b048-4b36-b70d-18121368a983} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu7⤵PID:4540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {a63721f0-ba48-4272-9271-bd0bc28dd87b} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket7⤵PID:4852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 25164 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {b0aa1824-ba3f-457f-aec0-0e7ef84c229a} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab7⤵
- Checks processor information in registry
PID:5924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4000 -prefsLen 27276 -prefMapHandle 4004 -prefMapSize 270279 -ipcHandle 4088 -initialChannelId {567ef87d-2256-4587-8afd-3a18afdedfb0} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd7⤵PID:3612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3256 -prefsLen 34775 -prefMapHandle 2716 -prefMapSize 270279 -jsInitHandle 2720 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1620 -initialChannelId {768a777d-0129-4e2c-a5fc-016a17eb0803} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab7⤵
- Checks processor information in registry
PID:3704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5008 -prefsLen 35012 -prefMapHandle 5012 -prefMapSize 270279 -ipcHandle 5024 -initialChannelId {a6b40b34-44fb-47c7-bf58-8a81ecccc266} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility7⤵
- Checks processor information in registry
PID:2180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5176 -prefsLen 32952 -prefMapHandle 5180 -prefMapSize 270279 -jsInitHandle 5184 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5192 -initialChannelId {74a8a7cd-6b78-47e4-83d0-ffde20a3ec5b} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab7⤵
- Checks processor information in registry
PID:1404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5388 -prefsLen 32952 -prefMapHandle 5392 -prefMapSize 270279 -jsInitHandle 5396 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5404 -initialChannelId {5aa96cd3-44b6-4ca0-8c34-ec38e8424efb} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab7⤵
- Checks processor information in registry
PID:5356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5580 -prefsLen 32952 -prefMapHandle 5584 -prefMapSize 270279 -jsInitHandle 5588 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5200 -initialChannelId {8c87e6d1-fb57-4989-a88a-ad2d42727591} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab7⤵
- Checks processor information in registry
PID:5644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5616 -prefsLen 32952 -prefMapHandle 5580 -prefMapSize 270279 -jsInitHandle 5584 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5576 -initialChannelId {08846531-e64e-4b0a-94e0-f31171e76e9d} -parentPid 2160 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2160" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab7⤵
- Checks processor information in registry
PID:3824
-
-
-
-
C:\Program Files (x86)\Internet Download Manager\Uninstall.exe"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4452 -
C:\Windows\system32\RUNDLL32.EXE"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf6⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:3172 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r7⤵
- Checks processor information in registry
PID:4384 -
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o8⤵PID:4436
-
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP6⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP7⤵
- System Location Discovery: System Language Discovery
PID:4628
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP6⤵
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP7⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP6⤵
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP7⤵
- System Location Discovery: System Language Discovery
PID:3872
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP6⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP7⤵
- System Location Discovery: System Language Discovery
PID:6048
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP6⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP7⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP6⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP7⤵
- System Location Discovery: System Language Discovery
PID:1136
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"7⤵
- Loads dropped DLL
PID:3484
-
-
-
-
C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440
-
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4716
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4896
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4708 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{279fa12b-7509-6341-91fb-d439ecc9e13b}\idmwfp.inf" "9" "4fc2928b3" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\Internet Download Manager"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4636
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000158" "WinSta0\Default"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "00000000000000FC" "WinSta0\Default"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grpconv -o1⤵PID:1004
-
C:\Windows\system32\grpconv.exegrpconv -o2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot1⤵PID:3504
-
C:\Program Files (x86)\Internet Download Manager\IDMan.exe"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4600 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"3⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
C:\Program Files (x86)\Internet Download Manager\Uninstall.exe"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492 -
C:\Windows\system32\RUNDLL32.EXE"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
PID:1424 -
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵PID:4388
-
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP3⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP4⤵
- System Location Discovery: System Language Discovery
PID:5464
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP3⤵
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP4⤵
- System Location Discovery: System Language Discovery
PID:112
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP3⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP4⤵
- System Location Discovery: System Language Discovery
PID:3916
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP3⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP4⤵
- System Location Discovery: System Language Discovery
PID:6048
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP3⤵
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP4⤵
- System Location Discovery: System Language Discovery
PID:1156
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start IDMWFP3⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start IDMWFP4⤵
- System Location Discovery: System Language Discovery
PID:3316
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5d04845fab1c667c04458d0a981f3898e
SHA1f30267bb7037a11669605c614fb92734be998677
SHA25633a8a6b9413d60a38237bafc4c331dfebf0bf64f8057abc335b4a6a6b95c9381
SHA512ccd166dbe9aaba3795963af7d63b1a561de90153c2eaefb12f3e9f9ddebd9b1f7861ee76f45b4ef19d41ca514f3796e98b3c3660596730be8d8eb9e1048ef59e
-
Filesize
93KB
MD5597164da15b26114e7f1136965533d72
SHA19eeaa7f7de2d04415b8c435a82ee7eea7bbf5c8a
SHA256117abaeb27451944c72ffee804e674046c58d769bd2e940c71e66edec0725bd1
SHA5127a2d31a1342286e1164f80c6da3a9c07418ebeafb9b4d5b702c0f03065ee26949da22193eb403c8aeec012b6f1c5ff21179104943943302972492fcdccc850d9
-
Filesize
463KB
MD523efcfffee040fdc1786add815ccdf0a
SHA10d535387c904eba74e3cb83745cb4a230c6e0944
SHA2569a9989644213043f2cfff177b907ef2bdd496c2f65803d8f158eae9034918878
SHA512cf69ed7af446a83c084b3bd4b0a3dbb5f013d93013cd7f2369fc8a075fe05db511cfe6b6afdef78026f551b53ad0cb7c786193c579b7f868dd0840b53dbb5e9f
-
Filesize
656KB
MD5e032a50d2cf9c5bf6ff602c1855d5a08
SHA1f1292134eaad69b611a3d7e99c5a317c191468aa
SHA256d0c6d455d067e8717efe2cfb9bdcbeae27b48830fe77e9d45c351fbfb164716d
SHA51277099b44e4822b4a556b4ea6417cf0a131ffb5ee65c3f7537ab4cdc9939f806b15d21972ea4d14a0d95cf946013b9997a9127d798016f68bcd957bbffdab6c11
-
Filesize
522KB
MD53ffb2e17429f183cd312509ae93eee93
SHA1ed190aa09b5c8f7122afb02dd98c4c56d16f2a67
SHA256836f1f880c0020f2821211c64f35c11c0cf4a044d06d4fa26a9c3c10cc6bd0fd
SHA512bc32e9bca091179ecdad8dac68ff05848f7de0ce954e3fb7509f7a959317e1e7bc2d89d77a6ce3eb2534fa95c651709cc2a483470b2e55cabfc0bf63815d0071
-
Filesize
36KB
MD5a3c44204992e307d121df09dd6a1577c
SHA19482d8ffda34904b1dfd0226b374d1db41ca093d
SHA25648e5c5916f100880e68c9e667c4457eb0065c5c7ab40fb6d85028fd23d3e4838
SHA512f700cf7accab0333bc412f68cdcfb25d68c693a27829bc38a655d52cb313552b59f9243fc51357e9dccd92863deecb529cc68adbc40387aad1437d625fd577f1
-
Filesize
5.8MB
MD54bd90f209b82c3ec374c59ec9044118c
SHA110b3d9d45c4de77b997c5f6abeee31dbc6bba796
SHA25611f663edbeea5d54efbdcfd9fa5444ef217b5fc4a844f70c0f5d8455bfee7e25
SHA5121c634160c8e1dc72f19724f784e0ef4ab705d047a940aeb8a9dc1a42bf81181fb479f074b1f9ccccb552f21958c23f9fb28385d8316d7d5b4fc3900dae766c2f
-
Filesize
51KB
MD5d44f8056ffd0f578d97639602db50895
SHA158db1b4cae795038c58291fa433d974e319b2765
SHA256a4fda3af1c386028b46629e6f5113b36aab7e76278ea6683b82eb575dfb9be7b
SHA512e38f4cd19f3a5a227f2a15ff4f5c360125393980812969190435420fde90b5b25ec13c4f79ae5d4bf02f4bdb043a9d9e9e59ee92ca01ce1fcb1fbf327e37996f
-
Filesize
197KB
MD5b94d0711637b322b8aa1fb96250c86b6
SHA14f555862896014b856763f3d667bce14ce137c8b
SHA25638ac192d707f3ec697dd5fe01a0c6fc424184793df729f427c0cf5dfab6705fe
SHA51272cdb05b4f45e9053ae2d12334dae412e415aebd018568c522fa5fe0f94dd26c7fe7bb81ccd8d6c7b5b42c795b3207dffa6345b8db24ce17beb601829e37a369
-
Filesize
155KB
MD513c99cbf0e66d5a8003a650c5642ca30
SHA170f161151cd768a45509aff91996046e04e1ac2d
SHA2568a51ece1c4c8bcb8c56ca10cb9d97bff0dfe75052412a8d8d970a5eb6933427b
SHA512f3733ef2074f97768c196ad662565b28e9463c2c8cf768166fed95350b21c2eb6845d945778c251093c00c65d7a879186843eb334a8321b9956738d9257ce432
-
Filesize
153KB
MD5e2f17e16e2b1888a64398900999e9663
SHA1688d39cb8700ceb724f0fe2a11b8abb4c681ad41
SHA25697810e0b3838a7dca94d73a8b9e170107642b064713c084c231de6632cb68a9c
SHA5128bde415db03463398e5e546a89c73fff9378f34f5c2854a7c24d7e6e58d5cdf7c52218cb3fc8f1b4052ce473bb522a2e7e2677781bcdec3216284f22d65fc40b
-
Filesize
90KB
MD579fef25169ac0a6c61e1ed17409f8c1e
SHA1c19f836fca8845adf9ae21fb7866eedb8c576eb8
SHA256801d3a802a641212b54c9f0ef0d762b08bcca9ab4f2c8603d823a1c1bc38c75a
SHA51249bf489d6836b4327c6ebad722f733f66722aadb89c4eac038231e0f340d48bb8c4fe7ce70437213a54e21bce40a4a564a72a717f67e32af09b3f9aa59050aab
-
Filesize
20KB
MD5e7ca61c2ee52033e38d6a4d607472e3a
SHA10fe77bd275f3e8a36ed1335e968d6bc11deda6ba
SHA256a2e28177b51a556742a164955f8b62dcf2bdf848c2f6907fea0c92ee8e4ccddd
SHA5127cc8a42e8eaa0a46d4cfdb1d22de234e3004e7e46dd196b7fefc315faaa48ceb6eb7faa6d4b0d6ce2e6f269f163cf80c37f68a3e8e8a3b56f914080d9ca824aa
-
Filesize
8KB
MD55e555f385b402c3165f0e0a3dafba79d
SHA1cdf96d54736cecb2ea9777a2b38db1c5b79ea875
SHA256f5dd03cc85bb71f8c3efdb45cfe763a12c7ee7b8d8cc8743b46caec51e54af19
SHA5120377d2ed8083a1e2b94bd3131ab0cb1aad52138fc397638bf84a0196ef54832daaed47564fb33569d8231b749fa8c5ff48a59622991178f6b210b8ddef028886
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD529bbc2a3e7c2cc476db9c31e001ac4f9
SHA1e44699ba7d6479b0a350c5f96d65d1cb67a5cc10
SHA25646e7edf72246fa0d6931cfed239ab1d6bb7296e0a80f98e04b81d20d6f82f8de
SHA5125bab28ec1a5ddc7f1ff02e43ac950eb450fe337940a4118ffd50a32ce9a2dceef0ee3338dcc23a3da20abfb3c034280ce0e25b83990ef1d4cf5f7be0f693f3c4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\cache2\entries\C9AD8D046AE823121AEB5E0FE6D1B61D65686C5C
Filesize13KB
MD5a8fa4991d7816207b297bcb99801b0e2
SHA18e20dda5aba71eab5c3300749ec47842208907c5
SHA256ba7ccab809810c68e7a675d050370c8845c0a2584bf5bd345b5aec1d48227d7d
SHA512518f0809d09172a6cfc907543b90dd5ce3e4f911f5c218383b6cd261841352f2305492632aefab29f54a1acb1c9fe75696d3becf0dc5114b37b70d85c49a973c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\cache2\entries\CD39AD244C65ED2DD0F139D0BABEEB26DFBD83CC
Filesize14KB
MD5e025a907ba2519124f7698bf80c082e9
SHA14f131e90883b4f22313e023145fd41b1dc3690a1
SHA25640b41ee32028fb05bd049b1da18ab12517b4dee5c30c044d6f53cd5bd37c5207
SHA512f88ef337ccac0b6cce549ad54f185d95257a968833270a3b67672873e1ddc68899e71bc1b597cf57c40726e922245fd619636d63905bc70b1058784c758d6512
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_0f57924ddfed66ab424aa46d47be0828_elex_rhadamanthys_stop_swisyn.exe
Filesize11.7MB
MD585411533ad487aaae811a7502d6eee15
SHA15579a22f8e415ce186a7f547de47761493e68af5
SHA25628125dfe798eef1bdf40e36ef5ef70573def5f439cfbf673cfc22c3a8cd75610
SHA5124f1e74ac61fc8c8a3c00a6c0f8113b3332468d23ea687a2d496deda9dfa2cab34fc0784cbc6886cbba64bec4eb906f9f93cea572bca479fa3e2c950596e1ff69
-
Filesize
162KB
MD51c734d0ded634d8e17a87aba3d44f41d
SHA14974769d1b1442c48dd6b6fb8b3741df36f21425
SHA256645ee6e64ed04825b25964d992d0205963498bb9d61f5a52be7e76ddb2074003
SHA51220239782f4e30157fdfc02a3793ac7bde7ed74400de4cffa812805d680789ea7be5c2c765924d32f74807d80100cccc14b453d3d7e006dd4aeee60dec98af4c9
-
Filesize
4KB
MD595603374b9eb7270e9e6beca6f474427
SHA12448e71bcdf4fdbe42558745a62f25ed0007ce62
SHA2564ff66e3c1e781d92abb757f537af13b1fb3fa167b86d330b7ed302728c7da53a
SHA512d3987f207ad05e142d864b3ffe4ff6758d22b56f75d60ebcd79e0c760cf27106d7ff74bfbc7569389710e50602d3359b4ab20ddc14fbafcf526478dc85bfe593
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
3KB
MD54be225f5ed8575cb3e70847863026660
SHA1852fbb7d2739afe764613d45dc6f2234bc50f213
SHA2569d1f79719b84eec484602b501d3d9eab89336c25b6d0cc586957bc2e10e845a1
SHA51282ab7efa6f900229d8dae2d72ab039651b8af853b1128b36bf172109f8456c6cd3afdfa3ebbec86624c91cf4db55181bf30befe90195b0f2b7ae782d8e090596
-
Filesize
3KB
MD53cf29c53c8d733d26794661e477fb5b9
SHA194eae66f2a322b5a4c1a6584c036e7b3b88fd2ac
SHA2569efd5d506f16932728de5c0fb7dc0e4b75713920bbcefb108a610c6c1ae45430
SHA5122321fe2f6188cb2590ec2793145f75e1666c41221b29c1d18358311d378f86f2e5a6575028accfc721f9db3e2b27981d857d556bdddd32bf6ea1233af355d94c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\AlternateServices.bin
Filesize7KB
MD54b169a2359b2d8bdc7a2870279c03a4b
SHA1817709a87b9597f85770a242e7ca0d56575251fb
SHA25673c6b640f8b6f55d1c9fcfb8014501c5b0b7de70aff9aa1d4ca63430a434fd36
SHA512ec1dddadb3fba91e88b90d0db7d5e8c0209b8f3a5a7b2691c1134a595ba1ec022bdc0dc64d9232a6c288ac64c7166d32efefa8e6a2a63d55c9fc4c81718b7b42
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD53d258df7e1ea771a00b06efac04e2d98
SHA153b37e93b5527e411696a1a8ac03eaea0da3c1d1
SHA256cf519c167019692d267cc31f3fe45668e9959d2fcaadce6bcac5573e83835273
SHA51293ea7608eec6293916cec48f20ff74a1609c2c4ac7cb58b65d0c905b8b2209e4495ea2a826db027aff29c7acc81c01e738ffd7110f08ce0f77edbcce90b899d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD591e91412465dbc8ed0b940fdfa7df687
SHA162505ff1bd8d2f8d16dadc88c5a2240c6b818f3a
SHA2568b10caab35d1e808597274ee76725f48002a2fd427e592657ded67748eeb0562
SHA51298494781781a2af5b2d85cc0549d4daebe2e32b3b6903530ff5c26efc3ed4080dac618147eefe5ab7d3c6c29e39bab53f7e22b1515f0845303a077f4300f287b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\events\events
Filesize1KB
MD588727251a528131cb5653fbf056ca4f7
SHA164c34bed8eb47b9234043ffd345b607cc0c36ab1
SHA256dbf989b5501a4144afdacb9b5db4f70379d4cb2aba131f23e827aa582c463f0a
SHA5129e4cc2524db08912188a4b159105f533a88caac579e00756dd83c4b5de627e66c27aff0c34db950cf2c4ac3b5d94c9a7fc980775c778dd6080f7ff7b5f58eba1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\pending_pings\2ebf672b-cd15-4436-a44b-9ab4b43a9d39
Filesize235B
MD538d0b9edaf536ce4c3c01efc32bb906d
SHA12cc32f8ddd7c1b3bafc879124e6e03cd4b06aa4b
SHA256117d92e1ab289cf8590ff97e62f4d5562a7f60c8978a1e1929c22c7f8e20bdc4
SHA5129d1294f7e9cfa60d18992b0e7f132fb32dbe279b23d93ce95ef2095077db027e983617999ac86c059291e203071c369f306c38f2629154194aa186484bf6a0af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\pending_pings\39ee2a5f-927a-4603-845d-dd7d27b74930
Filesize235B
MD54659dc66535a226451f8cfd16d8264c6
SHA1e72abcc31af8ffa16de5274ddd445f352b825471
SHA256ee2a857e211f75cb49a1cb328a918a957ee528491746043dd3823fe03cdaae38
SHA5122e44d775790ff16937699c9f6a442175cf69beb5fe143de13b19d32d8974608664f3d3f6c981064bdfcf3ad0ddf1a93548900ad4b7d0ef43573627ad1ee07030
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\pending_pings\4818ebf8-2f1c-4fca-a537-f01ca9aaa089
Filesize2KB
MD5fe9ba87cd2f8b163add3ff2ce8b6e856
SHA109c9e8e5853b9776bc84722a39e7c1d15b6d0445
SHA25627ca94bfd3c9e73b5019ab1e8191764075d160bd589429f8df3844842f9f988d
SHA51299f6af311f5a9980a2c827358f16d5fb412663db2be362b92ed09e8536cdb6cd25ad4eecca195f64f8cbb43b0cdbacd2fc69f162d0928fd4fc067a1e5a94e890
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\pending_pings\81c2b5a4-8dfd-4961-9ff3-14bfd367b25e
Filesize886B
MD529de03698b1d0b0f85c44c77da1c8afb
SHA1b558e600cf037d2e56f3e49941999b8e246a04fd
SHA25671a977826c65957f83d7c3eee609c393dce944e30c895220a8cb64b70abc8ab1
SHA512a286b8fa7417951e958827879465075c536146caddf456c67a33ae85494b3367ea744822301346669983907f81cf5c1109a58cd450521779baa5bf27464b0330
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\pending_pings\9bda6808-98a0-4f95-a120-493b96acc635
Filesize16KB
MD55953a2b9d1beb10034d4c07af3606d48
SHA13f5f54b36c9ec2c38705712e9ea2eece4fd6b2c1
SHA2562b90208a896bb473142c9d5ca27d3fd0b7658e3debcfcd3045b31cb89781ca45
SHA51207e16622a8178cef10cb8c7dcffd1ca944f9a7869c644411907b53bd3cbfd99ab1910cfd881dbfdf057604526d1eef5d70734be5f487bbe6cf145b4b0a418cff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\datareporting\glean\pending_pings\b14baacd-b41b-4327-936e-2f606a8a8698
Filesize883B
MD5ab10199e6c8227cd3bd203e2a0ae103c
SHA11aa228555d7660e24cd7548384404e380197d5d5
SHA2560d178aa40fd6e71bfcb7befa987b042d610866b97d24751e3c51039898786a7b
SHA512e6570dc436ccf0be9688924979ecdabaf5b874401754a4a4797f1d370b8e6a38292704ec59f2e580b2d53bded8b0c306835ad8a138f5d8720c71b3d9261231cd
-
Filesize
16KB
MD5f678b340816a867eb32902b93ea52281
SHA1d2e56699e7ef15d6835d14bd765865acb4275c89
SHA25646bc015730d19c99b619e663c3b621ee83c73050ea43a574708c6e1e12e10524
SHA51264fe6675e79745f3ccb99245144241352235b70275f45ff174f9e2dd9df4b10a2d7b7e68a37513a1bb0b0956840b33622b97c2602d5a20153aa247b9b48c58d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
6KB
MD5bc1fe76c543c29385d7a2ad32c08e09b
SHA1c982e74d97701e94949c2e30c7c14c5a11336767
SHA2561c3c1142ebc305ab57fa2e8f51336d77037dc2097f92250884cb3c8a6aa79574
SHA51290763a7dccf4c59cbd91338ed6785c0ba81709b097feee6bb224cc9f1556d1b63466e41e66ccb6da988ecf55c71c707a60ea73bbe4182427175d4ab72135727e
-
Filesize
7KB
MD55697721169f4044ca6bf135448001e57
SHA1ffdc4259e8c83d332bbc24e2e927642e888394a3
SHA2562a08a79e2b7f567de38e69cb011e15dacdd2868cce54bf5af162820fd1b4a0db
SHA512fc722ad309d3b92cc8cf524ad4a9b421661b79de79dea0d208650150f1ed296e3a801aed220f36e14b38e389096aa850bf1284bc8fa2fd1d74b2da4f112f5f45
-
Filesize
6KB
MD57f2e01ad855b0c9ff1fbf907f47e1d8e
SHA1491539a9703ac4f953d7ebf736cc80ab7c2f4601
SHA256dd9115ff117372375572854b6c1b6519d5072899ceb2e4b19e2e14c90c280c92
SHA512d688891fcfba468726ce48303c33da058a2ecfde66350b05ae04e40dfa7953d8bd6360d361e945485e9b300b8754258d1144dfd0d61182659a9827a80aa07d97
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x8h9ktxo.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5e379a58ad2d26aade8f65ea9783aa03c
SHA15d8585b11314bf5f84e65f8a67270af3b2307c0e
SHA256fdedfc2a79ff78464a60d68567195a4702280b50ff6bdc489fbfe5e0092c8b27
SHA512f866b72375845bb32800942d250d7e91fab8b750a87c938fc8c2fa01b2050fd48b04157d0b7d4942137f72523e8581a208f21d0fdd4aa6461db4ce938f37b048
-
Filesize
135KB
MD5b6c42a057794db20c7c2f59861879bf0
SHA1cf8af3c20e5239d21ef50c980871f4f275157a99
SHA25638cd5fa4d593c4b3907e28c29071ff05c75be65ed6a21822ef89a7b75fb94302
SHA512c91e6b2ab85169bd2d29bfbf7ecb48bba2a5744146cdb2879e41c7736b109541165d716c769f2c9cc0ddd524283823c0062823f517f7a2fd33240243a83ff329
-
Filesize
135KB
MD53a7c33394deb16c0d93d8dac9cef7ae7
SHA1cacfff61752392d264d1725840399c41abc9d34d
SHA25617829b658ddcc8b5b15da3bb7b1d8358adf90c3a36b48b27029b64e59b8c25c5
SHA512148bd393fd97a36f69e0bf427249aa2a9bb7730b659b88af44e786a74d3aad1aa16097c77ac083538c4c827106d3b6bd230360bfdc8f42dd0bc18449fdd5be4b
-
Filesize
135KB
MD54af65913f417358baa8abe8fa54022e3
SHA177457f909a764cdc2b107cc3b274c901dbe2c67d
SHA256b754f08b511dafcba2af3a1104a60a0d8b313e76a10c7c6b79d495bb2ebcc4dd
SHA51294c38a60dba404b161ab62348062b53de392592c433c488429c662376560cf364a3119e6adf57047528d880e64ae6a1329c72cc9b5f1616e8be77a98fef0dffd
-
Filesize
169KB
MD57d55ad6b428320f191ed8529701ac2fa
SHA1515c36115e6eba2699afbf196ae929f56dc8fe4c
SHA256753a1386e7b37ee313db908183afe7238f1a2aec5e6c1e59e9c11d471b6aaa8d
SHA512a260aae4ff4f064b10388d88bb0cb9ea547ed0bc02c88dc1770935207e0429471d8cd60fcc5f9ee51ecd34767bf7d44c75ea6fbe427c39cc4114aad25100f40d
-
Filesize
12KB
MD5d5e0819228c5c2fbee1130b39f5908f3
SHA1ce83de8e675bfbca775a45030518c2cf6315e175
SHA25652818c67be219bc3b05c58b40e51b99a65c2f4bcafe38a995610b4ec10928def
SHA512bb397004f2256db781385de3e7e7b7993be8fbb2cb701ead99a7878c2bcca6c9ae4a7aa61c329aeeb6711c8c74081e971e85af38af6b32b58888c932fd51d218
-
Filesize
2KB
MD5f8f346d967dcb225c417c4cf3ab217a0
SHA1daca3954f2a882f220b862993b0d5ddf0f207e34
SHA256a54e0ac05254a464180e30f21a6b26651e7495427353bba9c246ba1d2388e7cc
SHA512760c2914f3e937a2a3443a032cf74b68b6d24d082d0f50d65058a0fd87d8eeab229fb8d3105e442f0b3b0b2f3824439981951266425512e51e7ff36669a652fa
-
Filesize
135KB
MD5226ce7c4186d32209bda51d324c9f2e2
SHA189642cd36bf5e33974a3e0e5d057bb38bc69f2f5
SHA25632b1b4a1124f4a75365319b291bdf5c10a62062019d486d8236a98851ca74845
SHA51260f0d3b00acae3877c5801a393d5cf7b03bfdc3bd58330a87669d0a2ae83324de34d26bf9f73f31536a33c79f0c588645f5cbdc1bbb4ee70a459566e4cfd1610