Analysis
-
max time kernel
571s -
max time network
439s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
Loader.rar
Resource
win10v2004-20241007-en
General
-
Target
Loader.rar
-
Size
2.0MB
-
MD5
8671554bf9863c593f84d79c447a20dd
-
SHA1
cd7a78b0bed0ca1759eb670f70afe3b1106ef321
-
SHA256
09d6c526462cbfa46905ab552067853e3ef34ff6e2db05de3d9c3e7b2a42decc
-
SHA512
a85524ede477163bad01eb1cf2595ff1056207265e8e1358681129ce46392a7f569b46b600687095525623421c727867ea53bc09c1ff7b57d1c4c4446263d090
-
SSDEEP
24576:MAbFF+p38UDf3o4YTOzJrh/3+WLH1jHLJ3k+UKTiRZ3IxjGIgm6GFprMlJD9GRNO:vbf+l8UDDQmrHiRZYxlPW3j
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1956 dxwebsetup.exe 212 dxwsetup.exe -
Loads dropped DLL 3 IoCs
pid Process 212 dxwsetup.exe 212 dxwsetup.exe 212 dxwsetup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dxwebsetup.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: dxwsetup.exe File opened (read-only) \??\Z: dxwsetup.exe File opened (read-only) \??\A: dxwsetup.exe File opened (read-only) \??\H: dxwsetup.exe File opened (read-only) \??\K: dxwsetup.exe File opened (read-only) \??\P: dxwsetup.exe File opened (read-only) \??\R: dxwsetup.exe File opened (read-only) \??\U: dxwsetup.exe File opened (read-only) \??\E: dxwsetup.exe File opened (read-only) \??\G: dxwsetup.exe File opened (read-only) \??\O: dxwsetup.exe File opened (read-only) \??\Q: dxwsetup.exe File opened (read-only) \??\I: dxwsetup.exe File opened (read-only) \??\T: dxwsetup.exe File opened (read-only) \??\W: dxwsetup.exe File opened (read-only) \??\B: dxwsetup.exe File opened (read-only) \??\J: dxwsetup.exe File opened (read-only) \??\L: dxwsetup.exe File opened (read-only) \??\M: dxwsetup.exe File opened (read-only) \??\N: dxwsetup.exe File opened (read-only) \??\S: dxwsetup.exe File opened (read-only) \??\X: dxwsetup.exe File opened (read-only) \??\Y: dxwsetup.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup dxwsetup.exe File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SET2045.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET2045.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SET2055.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET2055.tmp dxwsetup.exe File created C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab dxwsetup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DirectX.log dxwsetup.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\dxwebsetup.exe:Zone.Identifier firefox.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxwebsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxwsetup.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\dxwebsetup.exe:Zone.Identifier firefox.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 920 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 920 7zFM.exe Token: 35 920 7zFM.exe Token: SeSecurityPrivilege 920 7zFM.exe Token: SeDebugPrivilege 2168 firefox.exe Token: SeDebugPrivilege 2168 firefox.exe Token: SeDebugPrivilege 2168 firefox.exe Token: SeDebugPrivilege 2168 firefox.exe Token: SeDebugPrivilege 2168 firefox.exe Token: SeDebugPrivilege 2168 firefox.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 920 7zFM.exe 920 7zFM.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe 2168 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 4204 wrote to memory of 2168 4204 firefox.exe 86 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 3684 2168 firefox.exe 87 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 PID 2168 wrote to memory of 1908 2168 firefox.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {245398a2-30cb-4de7-961d-4711adafc9ec} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" gpu3⤵PID:3684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12baeead-4dad-4901-ac93-196dab7263f0} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" socket3⤵PID:1908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1748 -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2852 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25b77cb3-2a55-4088-a1f0-e280b65cbcf6} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:2040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1148 -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 2572 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b0a29dc-95f5-4b76-9e04-45a659ee7939} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:3796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4852 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b729bd97-4f33-448d-94e8-8ceabefe5fb0} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" utility3⤵
- Checks processor information in registry
PID:5116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 2772 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29f377f0-3470-49da-8fe6-07fd346d4fe0} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:4976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0b77d8-e47b-4406-b18c-4bc55e88d9a6} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:3716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {670b2d1a-583e-4fbc-a325-2f6f488a99d2} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:4864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 6 -isForBrowser -prefsHandle 3040 -prefMapHandle 2916 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc7fc6dd-1527-4997-ba35-a86c5b0596d7} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:4124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6460 -childID 7 -isForBrowser -prefsHandle 6444 -prefMapHandle 6448 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf0481b-686c-4d0b-a2ae-8c882e3eef6b} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:3268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6464 -childID 8 -isForBrowser -prefsHandle 6528 -prefMapHandle 6540 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d09094-a828-407c-8e8b-ffb5af57767e} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:3900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6548 -childID 9 -isForBrowser -prefsHandle 4360 -prefMapHandle 3028 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94ebff64-eec2-4773-b75d-1ed08f6d6e86} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:3604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6808 -childID 10 -isForBrowser -prefsHandle 6524 -prefMapHandle 6520 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e61c7f65-bf0b-4ed8-990c-ebe8fd67e954} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab3⤵PID:3028
-
-
C:\Users\Admin\Downloads\dxwebsetup.exe"C:\Users\Admin\Downloads\dxwebsetup.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:212
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5ff835996c659374ee0bd400514cc9d96
SHA1f627e107b790257a35f397ed7bb537f9a1007ec0
SHA256d8918629b5f1c1130bb26399813fb9bee2b2665be02ff403bf236554cb3b77b9
SHA51202539841e336d0be14bfd3bc3173dfe65d85f5310424980e7aa3c1982ee93822e5dd3d61d9aa9c26516b551efeee1ea8c1a36c127ff7609895f0552daf0a3f09
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
-
Filesize
65KB
MD5b36d3f105d18e55534ad605cbf061a92
SHA1788ef2de1dea6c8fe1d23a2e1007542f7321ed79
SHA256c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae
SHA51235ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62
-
Filesize
173KB
MD57ed554b08e5b69578f9de012822c39c9
SHA1036d04513e134786b4758def5aff83d19bf50c6e
SHA256fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2
SHA5127af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9
-
Filesize
56KB
MD57b1fbe9f5f43b2261234b78fe115cf8e
SHA1dd0f256ae38b4c4771e1d1ec001627017b7bb741
SHA256762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce
SHA512d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885
-
Filesize
56KB
MD52c4d9e4773084f33092ced15678a2c46
SHA1bad603d543470157effd4876a684b9cfd5075524
SHA256ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a
SHA512d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e
-
Filesize
515KB
MD5ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA2568f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba
-
Filesize
477B
MD5ad8982eaa02c7ad4d7cdcbc248caa941
SHA14ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA5125c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C9CZOCEX9I7UN73NJYHS.temp
Filesize13KB
MD5965a6ec6454e6a608d2e9bc34ed5ac07
SHA153baaa5973ae8852b3af298630d19b850c60464e
SHA25661a867c42c8b2658cbda8b86454554f95bd658f3e8fcd43bc5b334a5d1dfdfd7
SHA512181feeffe3d740f876803dc79cc31a6221c5e76dd09f23fc0344f27a5a08555d000554662d0024175748b0f2475e4f271e9eecb70c586fe2bcc72f74e8b21aa6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin
Filesize6KB
MD598950b712845c8d820afc0076ba30a68
SHA12024272008b52ebd3739d6acad66c8c099d0322b
SHA25689ed4823755444f0cf1e6a92fc8526ba0cd5a978571c0278f0853a8abed2d4ad
SHA512777a231f70415b703518097c9a4e4dac1750362a6caee111c060189b60596d3286d2cb9a17f3215b55269103d065df3287becfc864aaa66ee1ea96b02af72ba7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin
Filesize8KB
MD54abf02f58dbdfa2044ffe89c05014881
SHA15053d4c17f8a344378d3f8446fbc687c66d64991
SHA256e6919c0fe67d54672254c3d37ffb73d96ac51b07a018fff958ea02fdc1ec84cd
SHA5124a376541ff36f986d61b00290fcd34131c004401c50dc3c775dac24dc79f010ea36c227c2efea97b88931c81a09070e110a916d8ae324bb65cfc3687945bd1bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\bookmarkbackups\bookmarks-2024-12-16_11_8b5xwA3e+tTFYcTOOMYAkg==.jsonlz4
Filesize1003B
MD54bd6ab0cf5a3088eb3b35b17269b174e
SHA127181bb2365d763490f1a986b6b3c458a494bb06
SHA25612d44135129d8c80baabed5173ff1252788879e8082591b3c6ffbc5ee7adaa05
SHA512d2366d02c4fe4f19afb33d7feea89e275b189948b4845b6d6b1f52beb2616ff1e15abb7c13ea95d097822db960b8870e7f73c9848dadb3362c18d6fd5984add9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD537260ebc8cc7e111cff9f6972629c079
SHA11a7d9daf909efca766078ab51b437ae303353dd4
SHA256b5c602de6de6d19262dfead9720518806ffdb7029a2aeb5a7a552d7bbac411a1
SHA51209c6a84f4980c1a36d4de8b87c21cb220422308b0387a7a5fc7d8f4c058e03a510af8c3e1023c53d600ee81aff4687db301d65ce4309be44b1b51a74d761f706
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5ccf1d1d38d02a6828e3a879810d84a27
SHA142f4f54384bab86aeb805ad4d12344c3492e541d
SHA25651bdfcf9ce006591cc8c11844cfd40f86a9f556d5936e64f288b447443b2cf82
SHA512d89595e5b7028117ccf1fc0d798f1e6c76909b9fd393ef67e091445b9d16277a1f01b33a7f1ac35e315bb9dc7b20679a4ec26fa0dee6e6d35e9b189c505d40ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD58adac8526aa531ce75a7bf2d99897f4c
SHA10b799272e92c5fa7328c5fa05aa65f80606e1e90
SHA256a4b523beea3dd45a68d12b5918a434b51112ab8d12cca8c2c804120a9a76cf25
SHA5124e71577327464ea7df615be31e62a9abd5a6268882d83f0ebc34940a856268b62118cb03d7dbd4c192d60503bccd61ee34810981128040921444b581e2fd588b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\42881ce1-6220-40dc-91c6-c78ad8c1dfb4
Filesize671B
MD5bfffc99e41522a09a6dfc14c4790d14d
SHA11cccf60334c9c778b5f9a07671098a3c31c9885c
SHA256fbc68886bdcb1b523a6e3facb81080420418772e0625ddd43cff9b518e0d3c52
SHA5128c2ff8b2821db2e2ddee78c1a4a6964e590cc0f169ecac560e91995b3c1e4dcf4905dcf25ae9414f819be6a53842ac6cf2c4c5d742696ff7c655e5f2216412c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\a095a6c6-8981-4eb5-a0f3-3905454299f5
Filesize27KB
MD5196596f6fa73510ab69ee634815a2e42
SHA1f36a5383e01c654b2ab1c1ee1a16fb0f6550c02b
SHA2561f4c8ca036debd25cb4f431c8ca7af785f60e9d9fdbcfae28fcd68f8de9ef61c
SHA512a741ee88af26373743ec784f8ca6a7188504f3fe964f3e892e744d7b1c14c6f90af03d8e79f415d734fc489b2373619ea79a584370542b05906b83ce7b4a4b2c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\a748beb3-e51c-4e86-a83e-6930dabde765
Filesize982B
MD59f7f96c16158769f131c344f1b0d6b80
SHA1e6389e5b16ef0419d958d74bc29e008fbc51db26
SHA256154c76efa3fb89905359e903f9fe8dd7840d02da19b3ec1ffb006c58a50ac291
SHA512ad203a347180df55ceffaf6c37e55127e4f422cc089fbeca60b24417c14014eb1000ff2002408a83db413eb05c8ce86c666af182957273a2bc63c7aca143be60
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5e5e2c39104d4e60c9d6abb74c95a83a4
SHA1dc9196b4072dff1566231e9dbed468ad9a0f654f
SHA256591e6e479cf1290db46b52be65bbf2d4bd47205cdc77a61a76ddbb0152f856ed
SHA5121b57657cd90a4fc0682f339bdbd10ff0ca3b29643bb2f9af83aef9f5ffb7a6259bdc07c8918437ca89b401e4b100c0b723588a3b5ec3be78ccdb871dfd53d574
-
Filesize
11KB
MD55108a98be465cdfffb13054b3aa95d38
SHA11d0eb28fc7bb5cdc814d50f39253ad2bf613627c
SHA256e3df2433b131b6c897ad7f4b0812b8a1da44b1ac483247924ccaa92452a2d7f5
SHA51224809ce9724e76c4da90c4b97eb95f2e6e8c1ff42b7a511ffb1e0ec1d8439614fc434850874dc54ac9df84366932cbc1637c2249c42b29cac2abf7f8703c8b8b
-
Filesize
10KB
MD595175fba333e27893c22ade56e08263c
SHA12d9de4d0d3d21c538d05006c062254e65a0a1751
SHA25634f2112640c341fafbb56f24263d31198fe75eb77bc77feb50442fb99b27724b
SHA51202460db7cb52a060994edfebbf348ff0018ddf3e12a9628eaceae98eaf703d0482c1978b3b27da642f822fb97f32ac9b5304ea883fa6419b4735efb60f5172b8
-
Filesize
10KB
MD54c94e8c4017d4ae4bc15ecbb87278fc9
SHA1e589d38347b0fdbe18f249d5e25f846b808608fd
SHA256d75fe4e97b0382c23f5f42456460143b2ce16c7e7be3ee857173ce15f78cf960
SHA5123c32508a9b07013c05ae28a641c4afde4c520b4bc7022c0a6eef90ab4ed2bce3d6623cf4aa1d75bf4e00ad72d5d59a9ab7fdd311055c365a7347e601942d4103
-
Filesize
11KB
MD5718bffc3d2d4120db94f8c6693654fe8
SHA19e9238bbd2f12b53f8695171b1003d67995d412d
SHA2567b146bf5529656317d5e000dc7bd9e58e983bd370fda05e74047b78e409d4acf
SHA512efdea40af75b461b21f068f2d4532dcf088005954e59bfc19bfbd8f4182285f0fda47ac7d1a862e93c0bdaeef051f0320112e3f68f2ce19213f48824d9d301f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD576541fda9fa81b3f4c5e837e2192214b
SHA1210cea60ac00a1818e415426bfe3f83a5c859c0f
SHA2569e6fa383495d7bd0c1984126f10df9baabe2d88428d25f357c2f15d092aff78c
SHA512e8d12fe83364647b07f080dca2aaf0503dfd30937d9f567ac2e70902fcb83eb470ffbef0e924c0a4a8411c144f32327be987d330cf5fa89862e426663bfc2247
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4
Filesize8KB
MD5082cece48f5a4148b8df6a00d8bca10a
SHA1317d20aa945e63dd9c01aa73627c00c248d14629
SHA2562e4b1f1de3786bfd8e18cb8187cde0452f555e7376d6f50f263c896103b907a7
SHA512e56d09ba728246fbe35854106dc9f7c08536515d7f73096ad633f5fbbb6d54e6a56856b83a12c9aac66348260ee414aace6ad09840fc07348942780cd216736a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4
Filesize8KB
MD5c1122541774207d2d6cc58941551b287
SHA1184b9c376add65b9fd1187d23e8f1c7271ecb1c2
SHA256036a70b1c1884d4e9b18fe84df790475271d3a60594fa0bcad359423448f2688
SHA5128d8140d641158ddf26166ea0155b521896ae94654abf87d01bd510b77a5cc65b60386ca346c3716df85d6805b40c412612a6b830dee432f09dc0c4bba572d4ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize552KB
MD59894979a64735d07d8c519e4e7db69a0
SHA194e67d6d6f58272d247480133737e06f4f2f8bae
SHA2564707cc0fd4aba908d758de5ef672b4401bcead75641ec403fa137c1feeb779ec
SHA51213533898d78410101737528effcb807a0d751836d278e9c2832d458f22299d4492e5b40d7a0a36ce82e5b91cfedbc2e4b9d6248916decf277bbc0488e7840b2e
-
Filesize
288KB
MD52cbd6ad183914a0c554f0739069e77d7
SHA17bf35f2afca666078db35ca95130beb2e3782212
SHA2562cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
-
Filesize
78KB
MD5b5886a4f8980b736b4ee346c22da27f3
SHA140180ae3e0d747ed089f086a0b1aa327e9cc7db6
SHA256d8a7ce87af8a53ff7250385864918eba2c31ee7d23396ee2cc9774c5783ca7f5
SHA512507b3f5445a9385838adc95114cabd73dde5c6c983bfc421810a7bec46b32665b10557f8468609f4416a7cbefbe83f8d718405027bfa81a84aae63f8b98edc32
-
Filesize
95KB
MD553116eaad6d604f45b7602794c9296bd
SHA1eef7227e499231e1b583e869c78bca7e7d1164a6
SHA256d4b52609964624ad82f446b2e4e15588dd0035b91bc11fa6e5cae0e580940e74
SHA51296dbabd9263b319ef5725fdd9008144eb3b7834a990ed7adb366a7241d8a44c88b2d7da9814eb397dd8ac04d06853e786d631921f7afa0e8f46cbc862810e107
-
Filesize
98KB
MD54afd7f5c0574a0efd163740ecb142011
SHA13ebca5343804fe94d50026da91647442da084302
SHA2566e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2
SHA5126f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f
-
Filesize
137B
MD5cec960807fa5bec11ad4a31c3512da4d
SHA1a3ac60a3518747d3bbead5edfd17e155cf7ce9f7
SHA256f960075a7b1c2590e18700f3230f7baea9aced3e6ba5dc93dac193027b5cec48
SHA5122da2d935f9b96bd36536f3a7a494775c8ed9bfef6538ffe66307b73cd5c82210fc43bbe6706d74d99dd5b924fb78a0d1beceee8c0e22d91e17b1346dd85690ec
-
Filesize
111B
MD5d6f81567baaf05b557d9bc6c348cb5f1
SHA10c840165fcd34d996c85b6b44b00c7206bf772b6
SHA256e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359
SHA51209b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2