Analysis

  • max time kernel
    571s
  • max time network
    439s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 09:25

General

  • Target

    Loader.rar

  • Size

    2.0MB

  • MD5

    8671554bf9863c593f84d79c447a20dd

  • SHA1

    cd7a78b0bed0ca1759eb670f70afe3b1106ef321

  • SHA256

    09d6c526462cbfa46905ab552067853e3ef34ff6e2db05de3d9c3e7b2a42decc

  • SHA512

    a85524ede477163bad01eb1cf2595ff1056207265e8e1358681129ce46392a7f569b46b600687095525623421c727867ea53bc09c1ff7b57d1c4c4446263d090

  • SSDEEP

    24576:MAbFF+p38UDf3o4YTOzJrh/3+WLH1jHLJ3k+UKTiRZ3IxjGIgm6GFprMlJD9GRNO:vbf+l8UDDQmrHiRZYxlPW3j

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Detected potential entity reuse from brand MICROSOFT.
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:920
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {245398a2-30cb-4de7-961d-4711adafc9ec} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" gpu
        3⤵
          PID:3684
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12baeead-4dad-4901-ac93-196dab7263f0} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" socket
          3⤵
            PID:1908
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1748 -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2852 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25b77cb3-2a55-4088-a1f0-e280b65cbcf6} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
            3⤵
              PID:2040
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1148 -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 2572 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b0a29dc-95f5-4b76-9e04-45a659ee7939} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
              3⤵
                PID:3796
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4852 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b729bd97-4f33-448d-94e8-8ceabefe5fb0} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" utility
                3⤵
                • Checks processor information in registry
                PID:5116
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 2772 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29f377f0-3470-49da-8fe6-07fd346d4fe0} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                3⤵
                  PID:4976
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0b77d8-e47b-4406-b18c-4bc55e88d9a6} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                  3⤵
                    PID:3716
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {670b2d1a-583e-4fbc-a325-2f6f488a99d2} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                    3⤵
                      PID:4864
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 6 -isForBrowser -prefsHandle 3040 -prefMapHandle 2916 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc7fc6dd-1527-4997-ba35-a86c5b0596d7} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                      3⤵
                        PID:4124
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6460 -childID 7 -isForBrowser -prefsHandle 6444 -prefMapHandle 6448 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf0481b-686c-4d0b-a2ae-8c882e3eef6b} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                        3⤵
                          PID:3268
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6464 -childID 8 -isForBrowser -prefsHandle 6528 -prefMapHandle 6540 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d09094-a828-407c-8e8b-ffb5af57767e} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                          3⤵
                            PID:3900
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6548 -childID 9 -isForBrowser -prefsHandle 4360 -prefMapHandle 3028 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94ebff64-eec2-4773-b75d-1ed08f6d6e86} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                            3⤵
                              PID:3604
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6808 -childID 10 -isForBrowser -prefsHandle 6524 -prefMapHandle 6520 -prefsLen 27193 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e61c7f65-bf0b-4ed8-990c-ebe8fd67e954} 2168 "\\.\pipe\gecko-crash-server-pipe.2168" tab
                              3⤵
                                PID:3028
                              • C:\Users\Admin\Downloads\dxwebsetup.exe
                                "C:\Users\Admin\Downloads\dxwebsetup.exe"
                                3⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:1956
                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                  4⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Enumerates connected drives
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  PID:212

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

                            Filesize

                            19KB

                            MD5

                            ff835996c659374ee0bd400514cc9d96

                            SHA1

                            f627e107b790257a35f397ed7bb537f9a1007ec0

                            SHA256

                            d8918629b5f1c1130bb26399813fb9bee2b2665be02ff403bf236554cb3b77b9

                            SHA512

                            02539841e336d0be14bfd3bc3173dfe65d85f5310424980e7aa3c1982ee93822e5dd3d61d9aa9c26516b551efeee1ea8c1a36c127ff7609895f0552daf0a3f09

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                            Filesize

                            15KB

                            MD5

                            96c542dec016d9ec1ecc4dddfcbaac66

                            SHA1

                            6199f7648bb744efa58acf7b96fee85d938389e4

                            SHA256

                            7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                            SHA512

                            cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

                            Filesize

                            93KB

                            MD5

                            984cad22fa542a08c5d22941b888d8dc

                            SHA1

                            3e3522e7f3af329f2235b0f0850d664d5377b3cd

                            SHA256

                            57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

                            SHA512

                            8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

                            Filesize

                            1.5MB

                            MD5

                            a5412a144f63d639b47fcc1ba68cb029

                            SHA1

                            81bd5f1c99b22c0266f3f59959dfb4ea023be47e

                            SHA256

                            8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

                            SHA512

                            2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.cif

                            Filesize

                            65KB

                            MD5

                            b36d3f105d18e55534ad605cbf061a92

                            SHA1

                            788ef2de1dea6c8fe1d23a2e1007542f7321ed79

                            SHA256

                            c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae

                            SHA512

                            35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll

                            Filesize

                            173KB

                            MD5

                            7ed554b08e5b69578f9de012822c39c9

                            SHA1

                            036d04513e134786b4758def5aff83d19bf50c6e

                            SHA256

                            fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

                            SHA512

                            7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

                            Filesize

                            56KB

                            MD5

                            7b1fbe9f5f43b2261234b78fe115cf8e

                            SHA1

                            dd0f256ae38b4c4771e1d1ec001627017b7bb741

                            SHA256

                            762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

                            SHA512

                            d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

                            Filesize

                            56KB

                            MD5

                            2c4d9e4773084f33092ced15678a2c46

                            SHA1

                            bad603d543470157effd4876a684b9cfd5075524

                            SHA256

                            ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a

                            SHA512

                            d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

                            Filesize

                            515KB

                            MD5

                            ac3a5f7be8cd13a863b50ab5fe00b71c

                            SHA1

                            eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

                            SHA256

                            8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

                            SHA512

                            c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

                            Filesize

                            477B

                            MD5

                            ad8982eaa02c7ad4d7cdcbc248caa941

                            SHA1

                            4ccd8e038d73a5361d754c7598ed238fc040d16b

                            SHA256

                            d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

                            SHA512

                            5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                            Filesize

                            479KB

                            MD5

                            09372174e83dbbf696ee732fd2e875bb

                            SHA1

                            ba360186ba650a769f9303f48b7200fb5eaccee1

                            SHA256

                            c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                            SHA512

                            b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                            Filesize

                            13.8MB

                            MD5

                            0a8747a2ac9ac08ae9508f36c6d75692

                            SHA1

                            b287a96fd6cc12433adb42193dfe06111c38eaf0

                            SHA256

                            32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                            SHA512

                            59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C9CZOCEX9I7UN73NJYHS.temp

                            Filesize

                            13KB

                            MD5

                            965a6ec6454e6a608d2e9bc34ed5ac07

                            SHA1

                            53baaa5973ae8852b3af298630d19b850c60464e

                            SHA256

                            61a867c42c8b2658cbda8b86454554f95bd658f3e8fcd43bc5b334a5d1dfdfd7

                            SHA512

                            181feeffe3d740f876803dc79cc31a6221c5e76dd09f23fc0344f27a5a08555d000554662d0024175748b0f2475e4f271e9eecb70c586fe2bcc72f74e8b21aa6

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

                            Filesize

                            6KB

                            MD5

                            98950b712845c8d820afc0076ba30a68

                            SHA1

                            2024272008b52ebd3739d6acad66c8c099d0322b

                            SHA256

                            89ed4823755444f0cf1e6a92fc8526ba0cd5a978571c0278f0853a8abed2d4ad

                            SHA512

                            777a231f70415b703518097c9a4e4dac1750362a6caee111c060189b60596d3286d2cb9a17f3215b55269103d065df3287becfc864aaa66ee1ea96b02af72ba7

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

                            Filesize

                            8KB

                            MD5

                            4abf02f58dbdfa2044ffe89c05014881

                            SHA1

                            5053d4c17f8a344378d3f8446fbc687c66d64991

                            SHA256

                            e6919c0fe67d54672254c3d37ffb73d96ac51b07a018fff958ea02fdc1ec84cd

                            SHA512

                            4a376541ff36f986d61b00290fcd34131c004401c50dc3c775dac24dc79f010ea36c227c2efea97b88931c81a09070e110a916d8ae324bb65cfc3687945bd1bc

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\bookmarkbackups\bookmarks-2024-12-16_11_8b5xwA3e+tTFYcTOOMYAkg==.jsonlz4

                            Filesize

                            1003B

                            MD5

                            4bd6ab0cf5a3088eb3b35b17269b174e

                            SHA1

                            27181bb2365d763490f1a986b6b3c458a494bb06

                            SHA256

                            12d44135129d8c80baabed5173ff1252788879e8082591b3c6ffbc5ee7adaa05

                            SHA512

                            d2366d02c4fe4f19afb33d7feea89e275b189948b4845b6d6b1f52beb2616ff1e15abb7c13ea95d097822db960b8870e7f73c9848dadb3362c18d6fd5984add9

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

                            Filesize

                            5KB

                            MD5

                            37260ebc8cc7e111cff9f6972629c079

                            SHA1

                            1a7d9daf909efca766078ab51b437ae303353dd4

                            SHA256

                            b5c602de6de6d19262dfead9720518806ffdb7029a2aeb5a7a552d7bbac411a1

                            SHA512

                            09c6a84f4980c1a36d4de8b87c21cb220422308b0387a7a5fc7d8f4c058e03a510af8c3e1023c53d600ee81aff4687db301d65ce4309be44b1b51a74d761f706

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

                            Filesize

                            21KB

                            MD5

                            ccf1d1d38d02a6828e3a879810d84a27

                            SHA1

                            42f4f54384bab86aeb805ad4d12344c3492e541d

                            SHA256

                            51bdfcf9ce006591cc8c11844cfd40f86a9f556d5936e64f288b447443b2cf82

                            SHA512

                            d89595e5b7028117ccf1fc0d798f1e6c76909b9fd393ef67e091445b9d16277a1f01b33a7f1ac35e315bb9dc7b20679a4ec26fa0dee6e6d35e9b189c505d40ca

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

                            Filesize

                            21KB

                            MD5

                            8adac8526aa531ce75a7bf2d99897f4c

                            SHA1

                            0b799272e92c5fa7328c5fa05aa65f80606e1e90

                            SHA256

                            a4b523beea3dd45a68d12b5918a434b51112ab8d12cca8c2c804120a9a76cf25

                            SHA512

                            4e71577327464ea7df615be31e62a9abd5a6268882d83f0ebc34940a856268b62118cb03d7dbd4c192d60503bccd61ee34810981128040921444b581e2fd588b

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\42881ce1-6220-40dc-91c6-c78ad8c1dfb4

                            Filesize

                            671B

                            MD5

                            bfffc99e41522a09a6dfc14c4790d14d

                            SHA1

                            1cccf60334c9c778b5f9a07671098a3c31c9885c

                            SHA256

                            fbc68886bdcb1b523a6e3facb81080420418772e0625ddd43cff9b518e0d3c52

                            SHA512

                            8c2ff8b2821db2e2ddee78c1a4a6964e590cc0f169ecac560e91995b3c1e4dcf4905dcf25ae9414f819be6a53842ac6cf2c4c5d742696ff7c655e5f2216412c8

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\a095a6c6-8981-4eb5-a0f3-3905454299f5

                            Filesize

                            27KB

                            MD5

                            196596f6fa73510ab69ee634815a2e42

                            SHA1

                            f36a5383e01c654b2ab1c1ee1a16fb0f6550c02b

                            SHA256

                            1f4c8ca036debd25cb4f431c8ca7af785f60e9d9fdbcfae28fcd68f8de9ef61c

                            SHA512

                            a741ee88af26373743ec784f8ca6a7188504f3fe964f3e892e744d7b1c14c6f90af03d8e79f415d734fc489b2373619ea79a584370542b05906b83ce7b4a4b2c

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\a748beb3-e51c-4e86-a83e-6930dabde765

                            Filesize

                            982B

                            MD5

                            9f7f96c16158769f131c344f1b0d6b80

                            SHA1

                            e6389e5b16ef0419d958d74bc29e008fbc51db26

                            SHA256

                            154c76efa3fb89905359e903f9fe8dd7840d02da19b3ec1ffb006c58a50ac291

                            SHA512

                            ad203a347180df55ceffaf6c37e55127e4f422cc089fbeca60b24417c14014eb1000ff2002408a83db413eb05c8ce86c666af182957273a2bc63c7aca143be60

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                            Filesize

                            1.1MB

                            MD5

                            842039753bf41fa5e11b3a1383061a87

                            SHA1

                            3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                            SHA256

                            d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                            SHA512

                            d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                            Filesize

                            116B

                            MD5

                            2a461e9eb87fd1955cea740a3444ee7a

                            SHA1

                            b10755914c713f5a4677494dbe8a686ed458c3c5

                            SHA256

                            4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                            SHA512

                            34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                            Filesize

                            372B

                            MD5

                            bf957ad58b55f64219ab3f793e374316

                            SHA1

                            a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                            SHA256

                            bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                            SHA512

                            79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                            Filesize

                            17.8MB

                            MD5

                            daf7ef3acccab478aaa7d6dc1c60f865

                            SHA1

                            f8246162b97ce4a945feced27b6ea114366ff2ad

                            SHA256

                            bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                            SHA512

                            5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

                            Filesize

                            12KB

                            MD5

                            e5e2c39104d4e60c9d6abb74c95a83a4

                            SHA1

                            dc9196b4072dff1566231e9dbed468ad9a0f654f

                            SHA256

                            591e6e479cf1290db46b52be65bbf2d4bd47205cdc77a61a76ddbb0152f856ed

                            SHA512

                            1b57657cd90a4fc0682f339bdbd10ff0ca3b29643bb2f9af83aef9f5ffb7a6259bdc07c8918437ca89b401e4b100c0b723588a3b5ec3be78ccdb871dfd53d574

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

                            Filesize

                            11KB

                            MD5

                            5108a98be465cdfffb13054b3aa95d38

                            SHA1

                            1d0eb28fc7bb5cdc814d50f39253ad2bf613627c

                            SHA256

                            e3df2433b131b6c897ad7f4b0812b8a1da44b1ac483247924ccaa92452a2d7f5

                            SHA512

                            24809ce9724e76c4da90c4b97eb95f2e6e8c1ff42b7a511ffb1e0ec1d8439614fc434850874dc54ac9df84366932cbc1637c2249c42b29cac2abf7f8703c8b8b

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

                            Filesize

                            10KB

                            MD5

                            95175fba333e27893c22ade56e08263c

                            SHA1

                            2d9de4d0d3d21c538d05006c062254e65a0a1751

                            SHA256

                            34f2112640c341fafbb56f24263d31198fe75eb77bc77feb50442fb99b27724b

                            SHA512

                            02460db7cb52a060994edfebbf348ff0018ddf3e12a9628eaceae98eaf703d0482c1978b3b27da642f822fb97f32ac9b5304ea883fa6419b4735efb60f5172b8

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

                            Filesize

                            10KB

                            MD5

                            4c94e8c4017d4ae4bc15ecbb87278fc9

                            SHA1

                            e589d38347b0fdbe18f249d5e25f846b808608fd

                            SHA256

                            d75fe4e97b0382c23f5f42456460143b2ce16c7e7be3ee857173ce15f78cf960

                            SHA512

                            3c32508a9b07013c05ae28a641c4afde4c520b4bc7022c0a6eef90ab4ed2bce3d6623cf4aa1d75bf4e00ad72d5d59a9ab7fdd311055c365a7347e601942d4103

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

                            Filesize

                            11KB

                            MD5

                            718bffc3d2d4120db94f8c6693654fe8

                            SHA1

                            9e9238bbd2f12b53f8695171b1003d67995d412d

                            SHA256

                            7b146bf5529656317d5e000dc7bd9e58e983bd370fda05e74047b78e409d4acf

                            SHA512

                            efdea40af75b461b21f068f2d4532dcf088005954e59bfc19bfbd8f4182285f0fda47ac7d1a862e93c0bdaeef051f0320112e3f68f2ce19213f48824d9d301f8

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

                            Filesize

                            4KB

                            MD5

                            76541fda9fa81b3f4c5e837e2192214b

                            SHA1

                            210cea60ac00a1818e415426bfe3f83a5c859c0f

                            SHA256

                            9e6fa383495d7bd0c1984126f10df9baabe2d88428d25f357c2f15d092aff78c

                            SHA512

                            e8d12fe83364647b07f080dca2aaf0503dfd30937d9f567ac2e70902fcb83eb470ffbef0e924c0a4a8411c144f32327be987d330cf5fa89862e426663bfc2247

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

                            Filesize

                            8KB

                            MD5

                            082cece48f5a4148b8df6a00d8bca10a

                            SHA1

                            317d20aa945e63dd9c01aa73627c00c248d14629

                            SHA256

                            2e4b1f1de3786bfd8e18cb8187cde0452f555e7376d6f50f263c896103b907a7

                            SHA512

                            e56d09ba728246fbe35854106dc9f7c08536515d7f73096ad633f5fbbb6d54e6a56856b83a12c9aac66348260ee414aace6ad09840fc07348942780cd216736a

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionstore-backups\recovery.baklz4

                            Filesize

                            8KB

                            MD5

                            c1122541774207d2d6cc58941551b287

                            SHA1

                            184b9c376add65b9fd1187d23e8f1c7271ecb1c2

                            SHA256

                            036a70b1c1884d4e9b18fe84df790475271d3a60594fa0bcad359423448f2688

                            SHA512

                            8d8140d641158ddf26166ea0155b521896ae94654abf87d01bd510b77a5cc65b60386ca346c3716df85d6805b40c412612a6b830dee432f09dc0c4bba572d4ec

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                            Filesize

                            552KB

                            MD5

                            9894979a64735d07d8c519e4e7db69a0

                            SHA1

                            94e67d6d6f58272d247480133737e06f4f2f8bae

                            SHA256

                            4707cc0fd4aba908d758de5ef672b4401bcead75641ec403fa137c1feeb779ec

                            SHA512

                            13533898d78410101737528effcb807a0d751836d278e9c2832d458f22299d4492e5b40d7a0a36ce82e5b91cfedbc2e4b9d6248916decf277bbc0488e7840b2e

                          • C:\Users\Admin\Downloads\dxwebsetup.0QrOaQBl.exe.part

                            Filesize

                            288KB

                            MD5

                            2cbd6ad183914a0c554f0739069e77d7

                            SHA1

                            7bf35f2afca666078db35ca95130beb2e3782212

                            SHA256

                            2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

                            SHA512

                            ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

                          • C:\Windows\Logs\DirectX.log

                            Filesize

                            78KB

                            MD5

                            b5886a4f8980b736b4ee346c22da27f3

                            SHA1

                            40180ae3e0d747ed089f086a0b1aa327e9cc7db6

                            SHA256

                            d8a7ce87af8a53ff7250385864918eba2c31ee7d23396ee2cc9774c5783ca7f5

                            SHA512

                            507b3f5445a9385838adc95114cabd73dde5c6c983bfc421810a7bec46b32665b10557f8468609f4416a7cbefbe83f8d718405027bfa81a84aae63f8b98edc32

                          • C:\Windows\Logs\DirectX.log

                            Filesize

                            95KB

                            MD5

                            53116eaad6d604f45b7602794c9296bd

                            SHA1

                            eef7227e499231e1b583e869c78bca7e7d1164a6

                            SHA256

                            d4b52609964624ad82f446b2e4e15588dd0035b91bc11fa6e5cae0e580940e74

                            SHA512

                            96dbabd9263b319ef5725fdd9008144eb3b7834a990ed7adb366a7241d8a44c88b2d7da9814eb397dd8ac04d06853e786d631921f7afa0e8f46cbc862810e107

                          • C:\Windows\SysWOW64\directx\websetup\dxupdate.cab

                            Filesize

                            98KB

                            MD5

                            4afd7f5c0574a0efd163740ecb142011

                            SHA1

                            3ebca5343804fe94d50026da91647442da084302

                            SHA256

                            6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2

                            SHA512

                            6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f

                          • C:\Windows\SysWOW64\directx\websetup\filelist.dat

                            Filesize

                            137B

                            MD5

                            cec960807fa5bec11ad4a31c3512da4d

                            SHA1

                            a3ac60a3518747d3bbead5edfd17e155cf7ce9f7

                            SHA256

                            f960075a7b1c2590e18700f3230f7baea9aced3e6ba5dc93dac193027b5cec48

                            SHA512

                            2da2d935f9b96bd36536f3a7a494775c8ed9bfef6538ffe66307b73cd5c82210fc43bbe6706d74d99dd5b924fb78a0d1beceee8c0e22d91e17b1346dd85690ec

                          • C:\Windows\SysWOW64\directx\websetup\filelist.dat

                            Filesize

                            111B

                            MD5

                            d6f81567baaf05b557d9bc6c348cb5f1

                            SHA1

                            0c840165fcd34d996c85b6b44b00c7206bf772b6

                            SHA256

                            e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359

                            SHA512

                            09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2