Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-04-2024 18:29

General

  • Target

    dolphin-x64-5.0.exe

  • Size

    18.4MB

  • MD5

    eca48982effad82616f206f52336fe4b

  • SHA1

    4d88af3572de650b0b7dccd92dc8de5854edfae6

  • SHA256

    e1b3ae8fc890c6588e5656f77ef2747ae7ddfc90b6530b240c0c5b9d0ab3ce8c

  • SHA512

    778755b2d12c703a2954882a4d333b7cb61ee7ed0482b5cb14c1cbc4b90c8b65f308944a2f9369a89fc54d163c613efc65adf70316c08d447183f65637fcb557

  • SSDEEP

    393216:Y1qyjt4rPX8zs3XxdbHNemtqa7JhnurHTl0WcS4ENyQ4p9Jmm+:Y1qyZePX8khdbtecqa7JhnurHirhENys

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe
      "C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe" /silent
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:656
    • C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe" /install /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5696
      • C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe
        "C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{F1F8A44C-8C92-4E32-A840-2D015967D875} {5884645A-D8EF-43BB-9F99-285BC014D5ED} 5696
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:5728
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1660
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:4328
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:920
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5528
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.0.1029380268\1406092010" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11d11a60-eb46-4952-b554-8c5785c433cd} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 1796 22be69da458 gpu
        3⤵
          PID:5408
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.1.535977147\1092628526" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53bbe0bc-e746-4ff5-8a02-1bd880d59052} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 2148 22bdb96fb58 socket
          3⤵
            PID:2284
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.2.522894632\1162117887" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2928 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdc2e554-bca2-4ea5-a747-371ec0013c9c} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 2920 22be695d858 tab
            3⤵
              PID:5932
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.3.1239435580\1382451158" -childID 2 -isForBrowser -prefsHandle 1580 -prefMapHandle 3316 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3513da66-19be-4744-9861-ae00b8c74409} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 3612 22bdb962b58 tab
              3⤵
                PID:4600
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.4.1290924754\339734716" -childID 3 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d8b8124-7442-4677-b936-b890fa89f1b9} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 3792 22beb2a9258 tab
                3⤵
                  PID:3832
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.5.412275204\331801411" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8927f4bc-7c5b-4a30-ad0b-3a59d6ff9778} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4888 22be8f88558 tab
                  3⤵
                    PID:1916
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.6.922159787\942340893" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a496246f-d24a-4824-b119-88ccc2013a29} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 5020 22be8f8b258 tab
                    3⤵
                      PID:3056
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.7.1214453756\1691901130" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f161d32a-abc7-433c-8b22-ea159270237a} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 5216 22be8f89158 tab
                      3⤵
                        PID:3180
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.8.1494860747\3090426" -childID 7 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9419250a-825f-4bda-96dc-c24fe71e9858} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 5076 22bec6b6758 tab
                        3⤵
                          PID:5392
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.9.1652376463\1398072764" -childID 8 -isForBrowser -prefsHandle 1560 -prefMapHandle 1564 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85157a13-3582-4e80-9def-abdbd9e2cced} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 5684 22bee193558 tab
                          3⤵
                            PID:5368
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.10.838187014\1517693071" -childID 9 -isForBrowser -prefsHandle 5968 -prefMapHandle 5916 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b347628e-ab2f-40ae-84a1-82102baf4632} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 4700 22bee65cb58 tab
                            3⤵
                              PID:2584
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.11.1152909502\1159243597" -childID 10 -isForBrowser -prefsHandle 5992 -prefMapHandle 5864 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd82b56b-d303-4ff8-8ea7-6858d3187781} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 5996 22beecf5558 tab
                              3⤵
                                PID:5436
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5528.12.2009725210\66378275" -childID 11 -isForBrowser -prefsHandle 6524 -prefMapHandle 6540 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {536c7526-a193-470f-a98d-bda4d804b434} 5528 "\\.\pipe\gecko-crash-server-pipe.5528" 6532 22befba4e58 tab
                                3⤵
                                  PID:5984

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files\Dolphin\Dolphin.exe

                              Filesize

                              14.9MB

                              MD5

                              9660ec7cddf093a1807cb25fe0946b8e

                              SHA1

                              5986661c62d689380476db238d7c18fa37d1b616

                              SHA256

                              19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

                              SHA512

                              5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

                            • C:\Program Files\Dolphin\Languages\it\dolphin-emu.mo

                              Filesize

                              121KB

                              MD5

                              f00a5461ba0b2c95f801923fef70c266

                              SHA1

                              f7717e3f341e1b56c46407df643d4ac6dcc09885

                              SHA256

                              19c8af2231c12fe7969e63595f818baf9421542d1e4f3ea64ac2ff79352a6f12

                              SHA512

                              a9977db27df94510bc75ee961924804c59c0005b9bc9b8961d63b01359c72920a6a6f0f3b014c715f3b0c4208038deb65f114f83dee157422dc035b84a267315

                            • C:\Program Files\Dolphin\Sys\Resources\toolbar_debugger_step_over.png

                              Filesize

                              988B

                              MD5

                              926a446e9de7d51c34ae548673386417

                              SHA1

                              5a0a2666b270eca354f1632de8f98fc966864d08

                              SHA256

                              85f27cf7d073c5931530c102d4c39ff731a3eb30c67d506c6626b0ad72f26539

                              SHA512

                              d5117a0a76c22b06aa91f7586f866387ad74b4962e569cab64d6abeb83d701c8b66331dc6193478f36faef616a95f404cb15a7a0b0b86f863c93ab09f908ea53

                            • C:\Users\Admin\AppData\Local\Temp\DXD92A.tmp\apr2007_xinput_x64.inf

                              Filesize

                              860B

                              MD5

                              94563a3b9affb41d2bfd41a94b81e08d

                              SHA1

                              17cad981ef428e132aa1d571e0c77091e750e0dd

                              SHA256

                              0d6e1c0e961d878b319ac30d3439056883448dcf26774003b73920f3377ecac8

                              SHA512

                              53cac179d7e11c74772e7b9bd7dd94ffbc810cfc25e28326e4d0844f3f59fd10d9089b44a88358ac6dbd09fb8b456a0937778f78ecc442645764f693ccd620b8

                            • C:\Users\Admin\AppData\Local\Temp\DXD92A.tmp\apr2007_xinput_x86.inf

                              Filesize

                              1KB

                              MD5

                              e188f534500688cec2e894d3533997b4

                              SHA1

                              f073f8515b94cb23b703ab5cdb3a5cfcc10b3333

                              SHA256

                              1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5

                              SHA512

                              332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

                            • C:\Users\Admin\AppData\Local\Temp\DXD92A.tmp\dxupdate.inf

                              Filesize

                              12KB

                              MD5

                              e6a74342f328afa559d5b0544e113571

                              SHA1

                              a08b053dfd061391942d359c70f9dd406a968b7d

                              SHA256

                              93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

                              SHA512

                              1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

                            • C:\Users\Admin\AppData\Local\Temp\DXD92A.tmp\xinput1_3.dll

                              Filesize

                              79KB

                              MD5

                              77f595dee5ffacea72b135b1fce1312e

                              SHA1

                              d2a710b332de3ef7a576e0aed27b0ae66892b7e9

                              SHA256

                              8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

                              SHA512

                              a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

                            • C:\Users\Admin\AppData\Local\Temp\dxredist\Apr2007_xinput_x64.cab

                              Filesize

                              94KB

                              MD5

                              743b333c2db3d4cf190fb39c29f3c346

                              SHA1

                              26b3616d7321978bd45656391a75ee231196a4a2

                              SHA256

                              e7a09f8235cc587cc63f583e39fbc75008d9677c8bb4dcc11cb8d0178a5153ac

                              SHA512

                              77fbdb86c79d7228bca2982a3285a417a365af980488a5ac2d470b532fa59fcc15e0e8dbee6eb1a3a5256fc29e0e3391529cd2ac13e0f72987ee0da136000957

                            • C:\Users\Admin\AppData\Local\Temp\dxredist\Apr2007_xinput_x86.cab

                              Filesize

                              52KB

                              MD5

                              c234df417c9b12e2d31c7fd1e17e4786

                              SHA1

                              92f32e74944e5166db72d3bfe8e6401d9f7521dd

                              SHA256

                              2acea6c8b9f6f7f89ec51365a1e49fbd0d8c42c53418bd0783dbf3f74a744e6d

                              SHA512

                              6cbae19794533ad9401f92b10bd9549638ba20ce38375de4f9d0e20af20d78819e46856151cc6818325af9ac774b8128e18fbebd2da5da4efbd417fc2af51dab

                            • C:\Users\Admin\AppData\Local\Temp\dxredist\DSETUP32.DLL

                              Filesize

                              1.5MB

                              MD5

                              d8fa7bb4fe10251a239ed75055dd6f73

                              SHA1

                              76c4bd2d8f359f7689415efc15e3743d35673ae8

                              SHA256

                              fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

                              SHA512

                              73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

                            • C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe

                              Filesize

                              505KB

                              MD5

                              bf3f290275c21bdd3951955c9c3cf32c

                              SHA1

                              9fd00f3bb8a870112dae464f555fcd5e7f9200c0

                              SHA256

                              8f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d

                              SHA512

                              d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249

                            • C:\Users\Admin\AppData\Local\Temp\dxredist\dsetup.dll

                              Filesize

                              93KB

                              MD5

                              eb701def7d0809e8da765a752ab42be5

                              SHA1

                              7897418f0fae737a3ebe4f7954118d71c6c8b426

                              SHA256

                              2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

                              SHA512

                              6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

                            • C:\Users\Admin\AppData\Local\Temp\dxredist\dxupdate.cab

                              Filesize

                              94KB

                              MD5

                              d495680aba28caafc4c071a6d0fe55ac

                              SHA1

                              5885ece90970eb10b6b95d6c52d934674835929e

                              SHA256

                              e18a5404b612e88fa8b403c9b33f064c0a89528db7ef9a79aa116908d0e6afed

                              SHA512

                              a25c647678661473b99462d7433c1d05af54823d404476e35315c11c93b3f5ece92c912560af0d9efe8f07e36ae68594362d73abf5d5de409a3f0a146fe31a10

                            • C:\Users\Admin\AppData\Local\Temp\nsv6217.tmp\InstallOptions.dll

                              Filesize

                              14KB

                              MD5

                              d753362649aecd60ff434adf171a4e7f

                              SHA1

                              3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

                              SHA256

                              8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

                              SHA512

                              41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

                            • C:\Users\Admin\AppData\Local\Temp\nsv6217.tmp\ioSpecial.ini

                              Filesize

                              480B

                              MD5

                              20cc66b36a499ec80e3b2deffbdab019

                              SHA1

                              b09238f2e54e88e32182c059b14f2d1cc469cdaa

                              SHA256

                              cb076ace3303ca08a74095c8c91dadab015e88d185ddc30ec735983a8ce0c8ee

                              SHA512

                              7e4f7dd56de9999bcd6ee0253d3eb6f0b92b6e6ee339a3d78760d419112ee76635b49d08ebe8e8f4c659199b41fc82fd1371040c7a6581c81060d9c93fcd7406

                            • C:\Users\Admin\AppData\Local\Temp\nsv6217.tmp\ioSpecial.ini

                              Filesize

                              519B

                              MD5

                              96c53e41d62141c1c1a19c51fb253ded

                              SHA1

                              64f3586d2fc1dcc915e3c2c3471fa027f801c742

                              SHA256

                              a721fd914dd47edb389f692bb5d1941d5e391a6483d2c4c3c0c8f63b9d7f9114

                              SHA512

                              736392d62bf5c912416875f61531a3064ca9cb101fb59fbcc924061dad32f0d3c0fb0bad674fe218a55ba9db70447ac6735b268602401f62fa78cc9714019a48

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                              Filesize

                              442KB

                              MD5

                              85430baed3398695717b0263807cf97c

                              SHA1

                              fffbee923cea216f50fce5d54219a188a5100f41

                              SHA256

                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                              SHA512

                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                              Filesize

                              8.0MB

                              MD5

                              a01c5ecd6108350ae23d2cddf0e77c17

                              SHA1

                              c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                              SHA256

                              345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                              SHA512

                              b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                            • C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe

                              Filesize

                              14.1MB

                              MD5

                              883c499d04c145a69622f7658e353265

                              SHA1

                              bb64084762abd4a06b2fddd16f0092860bc3043f

                              SHA256

                              df58f4aa566a10776c864c1007e0ac0987835fa1e9f7445bed8ba21a9101d414

                              SHA512

                              ce840c9420e928c9da6c30c3cd97eeb047d34ee7046b8cfcd20b512fbddfe885329ab4db3ca53f7094bf1caeb600c834cb2db10797ceade859c21786144206c9

                            • C:\Users\Admin\AppData\Local\Temp\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}\.ba1\logo.png

                              Filesize

                              1KB

                              MD5

                              d6bd210f227442b3362493d046cea233

                              SHA1

                              ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

                              SHA256

                              335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

                              SHA512

                              464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

                              Filesize

                              2KB

                              MD5

                              88295272309f5b3d21108eee274b3aa5

                              SHA1

                              19016d4963ef06f10d261f9b5c9ddec9a2137070

                              SHA256

                              1f79f4c59d7139dbf3cba67649ca4006621aa62ef169016664cd3266b6e68ddd

                              SHA512

                              c41057909fd68d4dc380b016540c0fd208986120cac01b30db262530cdbfd508608059cdcaf194026375ba77c8ae39e9cc9d6f62c406e6cc6f4c69ddee22db94

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\377347dc-dbbc-4564-91d7-6f59b336f9d1

                              Filesize

                              10KB

                              MD5

                              44924c1146c009d24ebdcb3ee0a618a1

                              SHA1

                              372c1514aca7d31ea499a525dcce09081bf49662

                              SHA256

                              0b962ac6589c4332e11eb0595ca28f0d220bc539263028c0bd9e38c904befb74

                              SHA512

                              a1222e68d00b1239ed8191707d351f0e0fbace0cf5181528ee540e14cbbe5ef69973e165e7bed4bf17ca8d0e68ca2f0e6a02038847b8bf61f061f6087d0b3bd4

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\3d4b2f92-5ea2-4c94-aec8-27f797cf716f

                              Filesize

                              746B

                              MD5

                              59a149d73fbb3f586032e3c673ca7ccf

                              SHA1

                              5964129899d352d8901c271fb7fdae649f10e57b

                              SHA256

                              b2b3cfe372b5887d7655c5678ca85e4f3e8ea20194fabd7d113c31366b8ee9a6

                              SHA512

                              17b08358cc92976bb0efa14d5e3c00f09244987afc1885ae0a2e1ee23684cd181e811b08f437721df591086b6b62c5f3bfcef727629c553345ab20a8a930ead1

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                              Filesize

                              997KB

                              MD5

                              fe3355639648c417e8307c6d051e3e37

                              SHA1

                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                              SHA256

                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                              SHA512

                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                              Filesize

                              116B

                              MD5

                              3d33cdc0b3d281e67dd52e14435dd04f

                              SHA1

                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                              SHA256

                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                              SHA512

                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                              Filesize

                              479B

                              MD5

                              49ddb419d96dceb9069018535fb2e2fc

                              SHA1

                              62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                              SHA256

                              2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                              SHA512

                              48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                              Filesize

                              372B

                              MD5

                              8be33af717bb1b67fbd61c3f4b807e9e

                              SHA1

                              7cf17656d174d951957ff36810e874a134dd49e0

                              SHA256

                              e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                              SHA512

                              6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                              Filesize

                              11.8MB

                              MD5

                              33bf7b0439480effb9fb212efce87b13

                              SHA1

                              cee50f2745edc6dc291887b6075ca64d716f495a

                              SHA256

                              8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                              SHA512

                              d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                              Filesize

                              1KB

                              MD5

                              688bed3676d2104e7f17ae1cd2c59404

                              SHA1

                              952b2cdf783ac72fcb98338723e9afd38d47ad8e

                              SHA256

                              33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                              SHA512

                              7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                              Filesize

                              1KB

                              MD5

                              937326fead5fd401f6cca9118bd9ade9

                              SHA1

                              4526a57d4ae14ed29b37632c72aef3c408189d91

                              SHA256

                              68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                              SHA512

                              b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                              Filesize

                              6KB

                              MD5

                              7aaea0a2c87b6dbfdbab68945e78cc69

                              SHA1

                              13bfa61a28398cebf212d58db6c4d70b644109da

                              SHA256

                              2e62e51f6fbfe496fe5859b6ca4872f2807cd46472c638f0a9c688190aae7a19

                              SHA512

                              e116bc7aef62894e3f7d446b42d71bb0b42ff12347a5c5d443feb6f4ec0683ee99f9c40d1927a73c143739698c1aa87a12899f30712d250ed1197a4b89c285f4

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                              Filesize

                              6KB

                              MD5

                              0f02958f21733288ffbe18eff67515ea

                              SHA1

                              9bba8b5bb6963ca4d0f18f22a14a494238f9b83d

                              SHA256

                              53341c3e6e125edae07daf105aee6a7882abe8af8029543e8ecb892cdc40c4aa

                              SHA512

                              15eecaf4b985b04a3b686e6d8224f9381e627aee3331d1ece89647add5d50265697366ff0fba433ad2c5ade7898f282594dacf7d29e4747a4a7bae4ee278119f

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                              Filesize

                              7KB

                              MD5

                              f57d454d69c09704e86cd164c6e243de

                              SHA1

                              30d2e77b56d999953dd92a9f4175d3c4612582f1

                              SHA256

                              cfb220e43af5e536fb19cf71dba0838c8c451632293c1367d7097a51f528be56

                              SHA512

                              11983dd862830d4d63e3dcc57169f8b4b5f81b3fc9041f530ea5830f5ec43742ded2f32e7b46188a63012907afb3d2be1bfd25bcaa31507212d6a2a5ed02d810

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              1KB

                              MD5

                              07094807a35dcfbf5d8cadc6bc2c19ae

                              SHA1

                              27f32aae434cb21c8ac3266f994905f4e3d6d592

                              SHA256

                              a228d27a75f83f0f062a84eeae1a4c7ee4cd8df06f0098bfcb1ba47915ca5e75

                              SHA512

                              c97f64ba280d35685880b9e0b3b4c196d3dda40d9f6df66187b7771d8d6f3d7bbc4abe08da13b092d75841a335490d5a1a96293ea818c7bb358222104ac73c7b

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              1KB

                              MD5

                              e51d16eeb1c1dffa2af720ed3c3e7bd6

                              SHA1

                              d735399b70531dc0756b8ec1a2ea74115bb5e363

                              SHA256

                              7475a94a985f46ff8f35c427ed19af111fe0b1da79986a0abf9d81bc9a3c32ad

                              SHA512

                              27ae4b1805d36c05494561000aacc162852cda05ca8e62eb32101a8f374c90924085767fc08d324969bff298f160ab67a59e148f898e2767070b154e5da301e3

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              18KB

                              MD5

                              798ec06fb846e983cd834696178291d5

                              SHA1

                              cc5cf7eb55d02d4fe5385e38244f9f2285682d67

                              SHA256

                              5b42670840623b0141640bfac38557c7fe43d34471172b9da482bc1e92f51163

                              SHA512

                              0f83abdad7e6f29b2b9b0a8cea4f41b9444b1c506da03249d73b59d352873f8186c611aff60337651eca6cdb59f808e574791281f2a2b797a0157c9986cf43e0

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              1KB

                              MD5

                              9b2de92378684247b237784a9894992c

                              SHA1

                              5aaa53ad7f47df33f4b03ce0b000b46e9c7e13ab

                              SHA256

                              67872ca83d2b8beb3613c624f0d2fb4d936727e7a1a3dc3efecfe698e17d2f0e

                              SHA512

                              cb6dad48fde36e81102fcee3bf0744d1b7f6bdc3f2499143bf79f787c22765e1cff12e1989a6fe7e1d7ff9a55fead09b131b3eb0c8c9fa473a7e58c3ce05562c

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                              Filesize

                              18KB

                              MD5

                              65ceec1480dbc5d32a45d6021240d1ce

                              SHA1

                              9fee58b8598d342e9dd8e1274d292d5ef9bab232

                              SHA256

                              a844d815fa0aeef4edba499f3705c03962826f33eaab69f3eebca5ad1b6ca962

                              SHA512

                              0d29135e16f6695dbfbc18d0af66b0d796c65b674c3457bc3fef110c6ba45e3fe53bf13494f26dbd983c6ee1a78ab72145cd35571fe91f8cb1ac6d2706059a30

                            • C:\Windows\Logs\DXError.log

                              Filesize

                              705B

                              MD5

                              9c957a4abf49ddeaa08c29af2752536f

                              SHA1

                              b23d2bc72564ef19e918a54dca54f92a67fc19da

                              SHA256

                              8a59e31f8af2c779e9146c8530346f05faa343a0ef08711183ece1fe6058d848

                              SHA512

                              315225c0ae4df222665b50f9499abed0d49f2ea5fc6b7fbf89a1021b68b43911652936338a65e67d52e589940e1aa13cf9d5b4c6270137bd09386cd411c3d9cb

                            • C:\Windows\Logs\DirectX.log

                              Filesize

                              474B

                              MD5

                              561580f7426988957424a4f7b346c1fc

                              SHA1

                              2a5143b01173bda797339efa734bd442526ebd25

                              SHA256

                              e36549b6acfab61fae1ee5111d0f1f5d215f526bc834cdff2fd94682c5a473a1

                              SHA512

                              22dbdf74f9290033dda3b64e8265f45c5eb620f068c16946101b0bd8fe21c65de180eeecff12c68b131733f2684e5a3c8b6354041dab5af00e8a4eb5b80d225d

                            • C:\Windows\Logs\DirectX.log

                              Filesize

                              16KB

                              MD5

                              8c3675b424e97385cf1430e5e42b36fa

                              SHA1

                              419e1672ba77a8bed8af621ae49a2a83c458381c

                              SHA256

                              f6570d50a5a6fbd67730d748890b093400f396601964691803a5185726743254

                              SHA512

                              6409bb227506fb8ce16ba6f64b31f5bf51a175c86fd44e928d27eca259ac4067a462a90d74167a122707af24db7eef8aef5d59aec3c8f2620e3567bfce9927e9

                            • \Users\Admin\AppData\Local\Temp\DXD92A.tmp\dxupdate.dll

                              Filesize

                              173KB

                              MD5

                              7ed554b08e5b69578f9de012822c39c9

                              SHA1

                              036d04513e134786b4758def5aff83d19bf50c6e

                              SHA256

                              fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

                              SHA512

                              7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

                            • \Users\Admin\AppData\Local\Temp\nsv6217.tmp\LangDLL.dll

                              Filesize

                              5KB

                              MD5

                              e447e49175c0db1f27888aede301084f

                              SHA1

                              f5946c743265cd8e81f3e7b6376dada57f99877f

                              SHA256

                              fd26ef21d72797fedecd3d15f2001cea793383aceb3cee19a5ae2a3d30e197b6

                              SHA512

                              e6543bf81bedce94a58f48cd6f9daaec891775e01ff76b771c22d459a778490f9bba0bebbf111b1ca3091b3ca69bca806a9b5e68ce12df03abbaa6ce5c4b7cec

                            • \Users\Admin\AppData\Local\Temp\nsv6217.tmp\System.dll

                              Filesize

                              10KB

                              MD5

                              56a321bd011112ec5d8a32b2f6fd3231

                              SHA1

                              df20e3a35a1636de64df5290ae5e4e7572447f78

                              SHA256

                              bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

                              SHA512

                              5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

                            • \Users\Admin\AppData\Local\Temp\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}\.ba1\wixstdba.dll

                              Filesize

                              118KB

                              MD5

                              4d20a950a3571d11236482754b4a8e76

                              SHA1

                              e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

                              SHA256

                              a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

                              SHA512

                              8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2