hxxps://drive[.]google[.]com/drive/folders/1jFkwNRDCvM9cgbYquXGGdt8CjYyCxrui?usp=drive_link

Analysis

max time kernel
113s
max time network
117s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-09-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1jFkwNRDCvM9cgbYquXGGdt8CjYyCxrui?usp=drive_link

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4476	фикс ставить после 2 файла(2).exe
832	фикс ставить после 2 файла(2).tmp

Loads dropped DLL 5 IoCs

pid	Process
832	фикс ставить после 2 файла(2).tmp
832	фикс ставить после 2 файла(2).tmp
832	фикс ставить после 2 файла(2).tmp
832	фикс ставить после 2 файла(2).tmp
832	фикс ставить после 2 файла(2).tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
17	drive.google.com
2	drive.google.com
15	drive.google.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\фикс ставить после 2 файла(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\фикс ставить после 2 файла(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\фикс ставить после 2 файла.exe:Zone.Identifier	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	фикс ставить после 2 файла(2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	фикс ставить после 2 файла(2).tmp

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	фикс ставить после 2 файла(2).tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	фикс ставить после 2 файла(2).tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	фикс ставить после 2 файла(2).tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	фикс ставить после 2 файла(2).tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	фикс ставить после 2 файла(2).tmp

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\фикс ставить после 2 файла.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\фикс ставить после 2 файла(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\фикс ставить после 2 файла(2).exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	firefox.exe
Token: SeDebugPrivilege	2316	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
4476	фикс ставить после 2 файла(2).exe
832	фикс ставить после 2 файла(2).tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 5992 wrote to memory of 2316	5992	firefox.exe	78
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 4344	2316	firefox.exe	79
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80
PID 2316 wrote to memory of 1476	2316	firefox.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/drive/folders/1jFkwNRDCvM9cgbYquXGGdt8CjYyCxrui?usp=drive_link"
1⤵
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/drive/folders/1jFkwNRDCvM9cgbYquXGGdt8CjYyCxrui?usp=drive_link
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48a079dc-1332-4b48-8bb8-a7d81435956e} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" gpu
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea03ec29-07fa-4b6c-8fb0-23eb48f257f6} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" socket
    3⤵
    PID:1476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3268 -prefMapHandle 3264 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f21f63c1-2ba2-4b7e-b350-16827810a09b} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 2 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51cd8de1-2f7e-46cb-bcba-1966e745c9b1} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4640 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4756 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d19ed96-e706-44b9-9972-a1c2c53f9746} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" utility
    3⤵
    - Checks processor information in registry
    PID:1224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 3 -isForBrowser -prefsHandle 4296 -prefMapHandle 5256 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c1363f-bbd9-4efb-95dd-6e85116b41ea} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:2260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 4 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919a3e64-d1cb-4929-8566-fe23dd8d13f1} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 5 -isForBrowser -prefsHandle 6128 -prefMapHandle 6124 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa5b0a7d-e941-4a26-ace1-47a8f75ecb45} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5012

C:\Users\Admin\Downloads\фикс ставить после 2 файла(2).exe
"C:\Users\Admin\Downloads\фикс ставить после 2 файла(2).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4476
- C:\Users\Admin\AppData\Local\Temp\is-EJF79.tmp\фикс ставить после 2 файла(2).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EJF79.tmp\фикс ставить после 2 файла(2).tmp" /SL5="$20316,7711018,152064,C:\Users\Admin\Downloads\фикс ставить после 2 файла(2).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

Filesize
31KB

MD5
ab095dc9df9e09a4aa38ef25c77f44d4

SHA1
741c8b87b5a8d5cc9f205ca0ecf128b823bbc50b

SHA256
761ad8f9484c861fce3c7a203373e28bc3b6c81c023b4a8128af53cf640f6156

SHA512
731f76aedc4ff2f71381cd7ebe77c259dd56ee0a5d70b5e729866a091d80099e080170f11aaa39f3985bb922fa7c13d3e448564a6fe39671ad63e03be69d6553

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\6EB3D2CCC7D926D467C0DEFE03A47351C05E3F08

Filesize
51KB

MD5
0a9387ca88101043f5ed10f7484082a3

SHA1
05f6ea38cb66409360ffb508f86a3fa815e6e139

SHA256
151a45f40090e874e7207dfa3d18a7c204277c84c6d0661be49dcf8f61b669ff

SHA512
af9bb51cbf78331fb304d0f8a34265bbdb77707bca00b6e71f0853d91d6feea9ad890fedf0da01c35b0c7dadaad483da539e191d499d0a3ab75c88915fca7d79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\F4E46EF0DEA049C46DFC59477818A1D71EED77E8

Filesize
73KB

MD5
d827d52f1e7963877d42906d097eb1ba

SHA1
3df559665e0d0beb3e50ed6f607bea7268123b86

SHA256
0e7f881a0411e2a86880896b5b511cf665598cbb348848255413ffc6f8731a5b

SHA512
e5a0b2242612123e87898a2c1ebb411ba23e5a40002a7ac2844e78cb89554a758e9467fb8e00b0b0d0bb27263d8995506a497ebc69fb13b375b654d0993b7f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-360PO.tmp\CheckBox.png

Filesize
7KB

MD5
abd301b0263b0e0cebdd71e4855ac7d3

SHA1
1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

SHA256
aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

SHA512
b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-360PO.tmp\WizardImage.jpg

Filesize
62KB

MD5
b91658597f15d7f689c86f5a2e7824bd

SHA1
00da609aa0b39140b767a3bc2644433d64edbd71

SHA256
b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

SHA512
00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-360PO.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-360PO.tmp\button.png

Filesize
12KB

MD5
51af4120d6d22b1126cc87a5143740ef

SHA1
1cb4e91e765537a72c9628056d29fbd6a7ce515c

SHA256
c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

SHA512
2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-360PO.tmp\get_hw_caps.dll

Filesize
76KB

MD5
2e35d2894df3b691dbd8e0d4f4c84efc

SHA1
d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

SHA256
869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

SHA512
29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-360PO.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EJF79.tmp\фикс ставить после 2 файла(2).tmp

Filesize
1.4MB

MD5
7300211c571951be86be6c6f8cdfc09d

SHA1
5464e16689003406513c7677b3d970f673551d18

SHA256
e77c3184d90f6e7a1276bb8389aba06296be97deb2e8a3433ca9a537538696da

SHA512
9c340edcd63c87565a9de26892d2e83647798583cc942bf608b54e86b8fd36bc2ad64421241b88f0a0682e7c006a5af712e62d3231ca5a81264d8b1a1905ebb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
6KB

MD5
8692d54aa848209ea23d77935c01c7fd

SHA1
d85352ce10884161640dd950de227fe3da120d9f

SHA256
3a985183a5cb750074f047ec8a25d3864195827fd930aa9c742963761b58557e

SHA512
9952f02a90e50842d31a24e81554160864a2b146d6000626676fbb8fd89efd52d64d650a095f1d5740ff4dde230cba202a6d9e74f3dc84c6c4a60a851150b886

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
7KB

MD5
b99f8ff72b275326815aedb309604574

SHA1
ab5081d991aee505d5514857c3316b28b9444778

SHA256
a597761f8458a75bbf790dd2d549f4df0dc9352fcac851ed94c384298049f131

SHA512
dd52584a31a6396c3d0d63a455e14c2813ed87c815877346f00a934a941078aafd0c1c960158725aa46902c9a814307ddb19ab7b0ae47a96a08c51f840992bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
12KB

MD5
feb9fb664de23c6b9b3731dfc11dd01c

SHA1
00366a4ff8ccd751082b5b5c7601a4e288c2d736

SHA256
36ec2aa1fcc90b1ad1a0b2f202c8a20a7e694b98e4114c6def881b8550d87115

SHA512
10b85aa773f0562ae0d7bf659fae33e002ea71e107accd04d9cd95bc21ee35cdd760acd87bffb6c29cda45e3971df162bb92a3b259b8894ed6408648b490b67c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
30KB

MD5
175e63a7d867d8aab91c496d24063bdc

SHA1
3471ceeebf09da3d71f23b8f11c9594d172758fc

SHA256
1b7005da7dc24413a0faddf9e07d3b17f9a5aa97470c49c0094ebd9cdc23a417

SHA512
137bde963dba32d5c7c6dde8a83f4f2f343da58b3483fa4caf846a0f34a0da3e15a8ea83c69205a36d26624a69a5697de9f695d8b7c6d04b974a7ae76243e247

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
5e3426d839f5006b9670bb99edfe1053

SHA1
0e1c80045738157e2eb41b8b4b80ac660a27cca1

SHA256
54a518e9cee0f2f23cb18895d436180826bf180c2b4b9500c2b472fa0d765eb2

SHA512
9caf6c178701304c6588547b43defa724e351f48d0f22ed6c99f4f3ffe385c76b79d566796e239c1ededd385a2de77ef8109b36387ffa82922886cd59ba83187

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f69b813ee6f6d1c31b80d8b11d2a8af0

SHA1
ea3c71078d7ccde89be8ea92bd7439ca7fbc2633

SHA256
7ef8d594cdb4af754f1ad149389f28a245011397c64ed58f22658243a5f28d91

SHA512
912ec9fc843a73c995f4ec747d581ee5e9c3398152550792bf7f3a21db027b3e955f0a56d4fcbba41af81315d9405d165a4967abb656c2c775cccad233774869

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\09953bd2-2cb8-46d0-8199-bc69fd1aed25

Filesize
982B

MD5
c06c6c73ab8cdd5ed6ee12a64c840136

SHA1
13898dde3a7c6e073b1d4153e26e4fcd111c499b

SHA256
3634a6ba53d6f544edceb7e0c6c2e87c6c2ffd5419eb536594b5ca0bb311fb49

SHA512
8286599202285885d5a330bb017d7b2c84db359f26df585612aa7040ceb5e5c17f2b311ba25d7416556eef52cf6a893490eac23a3ab6f4df802938055dda062c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\6ea43392-9354-443b-8cc2-2e2a6ac40b06

Filesize
671B

MD5
a00b46798f410f201ae9e24a9d6f643b

SHA1
576115a47f52b869dcb63ec1ec3b5fddc6706593

SHA256
3d057855a2003a32ba9b5ae53fdcc4bc3f60a10e7ea18bed1e0aca74feea36fe

SHA512
6944234e766d1534e4fb7aba24cbf0abacfa5d282bdb252a8de5d7b17e416ddc29134c4e97418c7624b29908f19018382a5f458ee22b2a2b3491644aa6563ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\ccf5be5c-81bb-420c-9f6f-da8f49f03cdd

Filesize
27KB

MD5
e384e9e6d9e9646fe225486e3a24371a

SHA1
fb4b07bf728589b0be670e711d0b4ccc84f1f10a

SHA256
b71a72dbe3063bb98a9a3794346bd88eebae49d890dc852324580df5b7a57732

SHA512
cafa27f60871f5c9ae48f420e5c91d63f1188bc2d1254d9a9c87789542582225c39521da466d9cf0258fe2f99bb9f38d85344019496fced281141804f1bf5f55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

Filesize
10KB

MD5
6b3825d245509957f621d3f61867e5bf

SHA1
155be544a3766b9707f835b72d8eb99f6d1734dc

SHA256
a1cb91a91c4bb7119a221a913046d9a6bdc96e2ab41a1330c12ab871554633d6

SHA512
b5d6c2fe47781f7659e302f6d6fe3518cbbd8d6809b722b61e362124aa04b15108e53200edd0cb670e9cfc911e8444b5aa6f7c2cbb872dad9005435577865a47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

Filesize
10KB

MD5
0b5b922e83d7d1ad960ec32c60339e37

SHA1
a5c3701173ad9090600b0a5ab9aec20625e8353d

SHA256
e30e6ae424525d63c32e75f7b23a3dd2df2b87ae708c2c440eec265c4c566ef3

SHA512
b65bd0964cbf7ab562015a018c7fa27e4a913cf4097b9819ba9141542dbbc49708fb042cd547aae73889b9e2fe548016b992f8540e8c851db6ae2e5bd71bc78e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

Filesize
11KB

MD5
3f4ceee915beb3563e64eb956b8404ea

SHA1
ad157b2bec0bad2c8b1cc5cd101ddccee763c4a6

SHA256
e546ed1b7ce61c05ca63eee5b33147c3a27e6e03b76399e170791013edb7e3d1

SHA512
2749abef24c2e3f8c4dcadadc38a3f09f0d8339c203ec87f261f2f93dc19bef87a565af0b5ea1324bf1ee450cebe33185f4dc275fa568b7bede76a3b149352cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
273e984e3f32b227dac5111470a03630

SHA1
23bc28a4eaa6f6be5a5cf0379295ef0390bf34bf

SHA256
ac4827f5d0b06fc6940470becca33a12b1f6c949c9b12962a361c80a292ac5c9

SHA512
09d47d5a301387ef641009e6fdd8ec1f63f7d7e61b69afffdfc1cbba8e1d0101925105490add666c2fe1acb1743f64062a071d455ca59fd2d9489d7652af22d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
7543bba2ea644e3b89f26bab94c1b2c2

SHA1
fed73d8eebfa07289d3f73437940d7a86220b266

SHA256
9b1edf82b62323284c89409adb1ad09485d16b2280f50da1fc32d5694618e57b

SHA512
504dccb4eb8a0c7bedbf7fd006bf1e3c34b60371ef36519748fdfbc36704a831106f10e68f69e381379cbe892ee6937143be2eb996907f9f0f315a996b79c432

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
e9ee16589c320a4990cb32c03d2077d6

SHA1
ba2d83e925dc113945c48807d24ee5eca0a4e9b3

SHA256
bfe85a53980612095547178d3145f94bfd664a7c1676aac394a7f38080ea5804

SHA512
b9fec8b249565e0bcf0abe76cf833fc3078355b62367b6517666404576fef5ddd93a06bbfb2ec23544bfa00366aa07e1bcf9e81aef41788609290e3ef6c3ffab

Download Submit
C:\Users\Admin\Downloads\фикс ставить после 2 файла(2).exe

Filesize
7.8MB

MD5
4383cb171587c38a7732ac9fc0ee6bc6

SHA1
0e18b1dc9d0d06cfe530d2d94c803a28791a2f56

SHA256
7d62e0d3def96751cb90481902ca6ea39059428316bbbd8c3c106b484d188700

SHA512
5496d1156ad461d81f13431c17664dae555220675d53d88a100bd3aa7306370a5321ded490d9644ddaa2a19d46a64d54e2f3ba97edbc0c3c46495a876da8ce9c

Download Submit
C:\Users\Admin\Downloads\фикс ставить после 2 файла.02OeY1oj.exe.part

Filesize
1024KB

MD5
c812f599557f7558808172c43de62bf4

SHA1
6f41b12860e9d67e688b4bfe245fce24d6342aae

SHA256
57403122561af08ede58773065b2f8e11fb2149cabb4bd9e4ca1ac04983fdeee

SHA512
dd67da7707a552f8ab7b3afcd8fa964b7fe96ac5614894e14319e7f992a9a18eb344778c6a7ec64c32dda1f1ebc45bfb234036fcabd51c36c54e1074e55a7565

Download Submit
memory/832-982-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/832-940-0x0000000005990000-0x00000000059A5000-memory.dmp

Filesize
84KB

Download
memory/832-897-0x0000000002CA0000-0x0000000002CAD000-memory.dmp

Filesize
52KB

Download
memory/832-980-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/832-872-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/832-983-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/832-987-0x0000000005990000-0x00000000059A5000-memory.dmp

Filesize
84KB

Download
memory/832-985-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/832-986-0x0000000002CA0000-0x0000000002CAD000-memory.dmp

Filesize
52KB

Download
memory/4476-863-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4476-861-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-984-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download