94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Size

5.8MB
MD5

6d6bb922a210e712b996824df9c340f2
SHA1

fe93c4ccc29144b4f0cb0c9734eb00dbbdf5c5c0
SHA256

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03
SHA512

33ea02cc143e5578e90c114282b9472c623c67a43bb2bc0c4ad0d6dabb8ae9e8169e1e52629689844ce5c644f7af6f068284622cd4b5613d01b887eb39a684fd
SSDEEP

98304:Odix1DBHi52kgkPaP4t18frP3wbzWFimaI7dlot3:YUHi52k5MgbzWFimaI7dle

Score

9^/10

adware persistence spyware stealer upx

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\A1D26E2\4A688C088C.tmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2188-13-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2188-82-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2188-194-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2188-214-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2188-318-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\A1D26E2\4A688C088C.tmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2188-13-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2188-82-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2188-194-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2188-214-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2188-318-0x0000000000BC0000-0x0000000001188000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	UPX
behavioral1/memory/2188-3-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2188-14-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2188-83-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2188-173-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2188-195-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2188-215-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral1/memory/2188-287-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

\Program Files\Common Files\System\symsrv.dll acprotect

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect

Loads dropped DLL 4 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/2188-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2188-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2188-83-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2188-173-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2188-195-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2188-215-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2188-287-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe /onboot"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description ioc process

File opened (read-only) \??\e: 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
File opened (read-only)	\??\e:	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Drops file in Program Files directory 6 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
File created	\??\c:\program files\mozilla firefox\uninstall\helper.exe.tmp	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
File opened for modification	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
File created	\??\c:\program files\mozilla firefox\maintenanceservice_installer.exe.tmp	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
File opened for modification	\??\c:\program files\mozilla firefox\uninstall\helper.exe	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Modifies registry class 19 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "180"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Token: SeRestorePrivilege	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Token: SeDebugPrivilege	2500	firefox.exe
Token: SeDebugPrivilege	2500	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid process

2500 firefox.exe
2500 firefox.exe
2500 firefox.exe
2500 firefox.exe
2188 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.exe94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid process

2500 firefox.exe
2500 firefox.exe
2500 firefox.exe
2188 94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

pid	process
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2572	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	regsvr32.exe
PID 2188 wrote to memory of 2456	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	firefox.exe
PID 2188 wrote to memory of 2456	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	firefox.exe
PID 2188 wrote to memory of 2456	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	firefox.exe
PID 2188 wrote to memory of 2456	2188	94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2456 wrote to memory of 2500	2456	firefox.exe	firefox.exe
PID 2500 wrote to memory of 2984	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 2984	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 2984	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe
PID 2500 wrote to memory of 1040	2500	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe
"C:\Users\Admin\AppData\Local\Temp\94c66301ab6fdec5629f959863dbf9cc5ca1f81b00c173a0017fa5ba3aee6b03.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
2⤵
PID:2572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
2⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.0.1920395760\363152692" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1264 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1af5dada-790a-449b-8fa4-83549033f441} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 1336 ffdc458 gpu
4⤵
PID:2984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.1.8688273\1773426591" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75bf89e2-ec6a-46a8-a925-bb489b7e4d82} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 1536 44eb558 socket
4⤵
PID:1040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.2.316567739\201591423" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2072 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b83be16-31d6-428b-8ca2-65f6d972ebd3} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 1964 1ad85e58 tab
4⤵
PID:1060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.3.8335831\1512635880" -childID 2 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9987257-0354-409b-ab8f-b3bf5456fa77} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 2852 1dac7a58 tab
4⤵
PID:712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.4.2051068651\1103073179" -childID 3 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {630028e6-0bff-4b6f-87b4-18beb2d29136} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 3668 1f05e858 tab
4⤵
PID:1940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.5.1042791642\1319123804" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3768 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {817e166b-62a6-402a-87c8-f13645dedf9f} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 3752 19f03558 tab
4⤵
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.6.826890982\6270635" -childID 5 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e83f79-0359-45a8-b266-b58e8c01251a} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 3916 19f03e58 tab
4⤵
PID:2232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2500.7.1274809268\1005593581" -childID 6 -isForBrowser -prefsHandle 1964 -prefMapHandle 2328 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe151684-66cf-41f4-b527-b18b1255d83a} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" 3812 21f80658 tab
4⤵
PID:1284

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
2⤵
PID:2288

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
2⤵
PID:2920

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
2⤵
PID:2096

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
2⤵
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000
Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.bin
Filesize
9KB

MD5
19072ffb1f367f85dc8f135affdf2218

SHA1
65f9ed61cc7c749f85dce7d47101e08e91b8f6e3

SHA256
75144922a660cceaa5a804e47422f76338034cdd1e95527221b67f17d0cd60d2

SHA512
c6af6f30322a125b7f0ee0655734f6f444b9ccfd7e2d1dbee67236abb96f9b17256b117e00e7ec4d4916126ca5633c627e6f360ad762d8e95f6fb181a13b0e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\cabe9596-d1e0-4d3f-8046-b3eecfc55184
Filesize
733B

MD5
dc58cb342cc53a9d149a76f00b45fedb

SHA1
1ec7afc8efdbcb300e738de8268769d577c697e3

SHA256
e8cdc1757f78aea19b709ef5391308884ef242ecedd9daf88e64de3380403e61

SHA512
54c9c4b146987d2bde79c8885cdee356aca4d18ca46609ddb10d6a851c1725efa3786d048ba70a75b3dd55b54bb394b5a531c4c254f7999ac9081c6dd8f9c9ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
Filesize
6KB

MD5
e9421686acb2f87d77401d1b6e4efb22

SHA1
81b93f1c123b1e549109cb668c70fc534a206ec7

SHA256
55ac8c8e7ede92ecdffd3426ef92c539254cb8d97e0f1c73ead4381a2395d549

SHA512
c94d934c7ccb43b42570a137039744fe57c61c66df424af9cc9a2e7c5788fdd730e3f3a7a4b29d864e4780b1db29f2393e30322c5be09374514a99e72df26ad2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
Filesize
6KB

MD5
c050aeefe0da85d5e51476d30eea9c3b

SHA1
4087250a55cc5725839a49a96830f519dec33292

SHA256
d9fdf9f27184c212d22cab932b52fafe2213956150385b8ccc24c6819e205b00

SHA512
85071287848f34c16319014532f4b45ff3dbe8d7d9fb4887e15cca64ab8bb78cb10f64835f5708f3b1b539d6039563bb2fac8b6631f6bb750ccac1e4bed15030

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
Filesize
6KB

MD5
a0a09f007cb72b09c66d3813ad00675c

SHA1
80d964485fd5fc5cdaac8e71de9ebaea80103690

SHA256
8467120641c8d0f12af0c2bf906906d0bcc5bed276d5f30d4db440a48034c003

SHA512
4feaede42055bdf3bcf13da685b4e04cbdddd3dc62ec7b2b014522e89414b60862cff00c78073768536b1db9e806ba881bab592ebc7795c6d47ba1b2c56e6b98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
0b1f161c9f84775703f0736523d03716

SHA1
d530d02943648e10b69431bfd9ecda73741ae512

SHA256
c6b33b03a7c59cd68fe03c5d282714c425360c398ff6fcb00012dcf21a114af7

SHA512
ca45a75769a6212c46f7e94082285d80030545f748319e60da95476ec0663548b238a615b826118fd915d229fbbbe179377e153e609399ef95846a92a8cb4144

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
65a881191b54c0fac2da189f713e0f5c

SHA1
74fff2a03c4a936edaf3bce91c527c590a8ef7ee

SHA256
a2f8a8108edcf65b274ce69327c484e59dea35d059e3279b6b50b06071d879ef

SHA512
f384f0c72456b1175768d1631ecbace356288e5b3c5a582f10bea01ab60dfe00b6daad97dc9d096de9f99d3a8380032205ac5ca191e05195d2dd0a73a67d75f6

Download Submit
\Program Files\Common Files\System\symsrv.dll
Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp
Filesize
261KB

MD5
7c8b4e015ebc867e9e312488bcaac587

SHA1
b8f9b922e0944daae13bc0a6e4782e8b802e243d

SHA256
e81f4bef0a3cb0bf33fd84057e5cef35e75c6728402be5460e1a86b5015f3225

SHA512
100633edeff76e18a52e99ef011eece1f6e942668bbb39c183b0577dd393afde24d4a21ddbd935a3265ff13c6c67d5e10d2fa91c6e8148ab53117c0865b8f327

Download Submit
\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp
Filesize
1.3MB

MD5
901f7613211e34fb22eb868f9ba8b5b0

SHA1
9e4c840756203df116bd21c8af7d85c65955df6e

SHA256
e7db957a7d8f90541a068c9edf1d37b393e3f63de036f9edb17406b2120c367e

SHA512
f142443b945c77809eace5d6ab16542be0a2fda6b00b3f52946a3c238c7c2ee85c72f591f6fa9c005833f1aea53ede2d524cb35d9133a5db4cae23ed960264e2

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\4A688C088C.tmp
Filesize
5.7MB

MD5
f123c24c54064781a76f09fc76123819

SHA1
8368b22d32d995e3d292557ed4c55ead1b6b4d06

SHA256
0285c2e1d9b0d58c58210c715ec469cb171145d534230501d69dd04b5f30e1a0

SHA512
7840b11e2c0edfb3e45582c1082dc583ae75a1473f3fbb4bf2883d22191e86b84d0b293238eb9f274e7b4cefb5274ad22ccca77cd4285c2cdccfa3a323ed1177

Download Submit
memory/2188-195-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-215-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-173-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-194-0x0000000000BC0000-0x0000000001188000-memory.dmp

Filesize
5.8MB

Download
memory/2188-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-214-0x0000000000BC0000-0x0000000001188000-memory.dmp

Filesize
5.8MB

Download
memory/2188-82-0x0000000000BC0000-0x0000000001188000-memory.dmp

Filesize
5.8MB

Download
memory/2188-83-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-13-0x0000000000BC0000-0x0000000001188000-memory.dmp

Filesize
5.8MB

Download
memory/2188-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-287-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2188-318-0x0000000000BC0000-0x0000000001188000-memory.dmp

Filesize
5.8MB

Download