Analysis

  • max time kernel
    549s
  • max time network
    550s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-05-2024 14:54

Errors

Reason
Machine shutdown

General

  • Target

    furinaa.jpg

  • Size

    66KB

  • MD5

    c75acd9aa617d03b75c3d23d50cad904

  • SHA1

    1a3f88617887cbe0d7a99377669669232a848c8e

  • SHA256

    e3d68cda13fa8087a4e6d36b1cde74ceb514b36f6814e41d40d423cb125586be

  • SHA512

    7f4416a7832fc75799186e0645662c16c69be6b8fb667e5dea18ae84d5ce90096c3fb6fdde17a3268beb899b55fdf21e22f513d7430ccf32d7c56b6483d621c7

  • SSDEEP

    1536:9BOsicjEsh0nQmfgvrmIVGqLhcMNynt6YVTjmBFUO52weuruCz:9BOFcrWQmovBVGqvWoYVTjgUO52JwuCz

Malware Config

Extracted

Family

xworm

Version

5.0

C2

interest-specialty.gl.at.ply.gg:53471

Mutex

ZXQe0hLZLNfanVlh

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 62 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\furinaa.jpg
    1⤵
      PID:3000
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.0.663054079\1644667076" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1424 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e04cf7b-f1aa-4f56-abfa-67f57c12abd1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 1896 1b5b560ef58 gpu
          3⤵
            PID:2452
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.1.1185038849\852847661" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee0d59c3-2d61-4421-8936-09ec85d725d8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2420 1b5a888a858 socket
            3⤵
              PID:380
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.2.1353432806\1624256194" -childID 1 -isForBrowser -prefsHandle 1716 -prefMapHandle 1596 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a458e16a-e391-4ca6-ace7-07ff4873de65} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2908 1b5b7dee558 tab
              3⤵
                PID:2552
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.3.433532953\1147322840" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4123d1e-66ee-478f-8188-eb2f52388e19} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 3564 1b5bb01ff58 tab
                3⤵
                  PID:2084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.4.1007862898\1606920020" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854881ce-6604-4fcb-8832-6c7593b1aa4c} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5044 1b5a8880d58 tab
                  3⤵
                    PID:1080
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.5.737695518\854914208" -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d609e15c-c57d-4644-ab2e-8d8a4e4db261} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5208 1b5bbde1358 tab
                    3⤵
                      PID:2188
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.6.448346326\965839413" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5212 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0cca9c-a2ad-493a-aca6-e6d7616963da} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5400 1b5bd464f58 tab
                      3⤵
                        PID:4608
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.7.557364378\1028396740" -childID 6 -isForBrowser -prefsHandle 4788 -prefMapHandle 5936 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b4a8f31-eb04-4bf0-87ff-91462a442c1c} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5948 1b5bdf64558 tab
                        3⤵
                          PID:5024
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.8.1157311089\502990718" -childID 7 -isForBrowser -prefsHandle 6060 -prefMapHandle 6048 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea0ed98-e454-4fd7-9de3-8a6ebc5eaa6e} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2980 1b5be38db58 tab
                          3⤵
                            PID:4220
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.9.1237305292\907416870" -childID 8 -isForBrowser -prefsHandle 6848 -prefMapHandle 6832 -prefsLen 28215 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9deb87e-5ac6-4a38-b99a-19bea08a62ff} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 6808 1b5b7df0658 tab
                            3⤵
                              PID:1564
                            • C:\Users\Admin\Downloads\7z2406-x64.exe
                              "C:\Users\Admin\Downloads\7z2406-x64.exe"
                              3⤵
                              • Executes dropped EXE
                              • Registers COM server for autorun
                              • Drops file in Program Files directory
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:3944
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.10.1431935357\502982388" -childID 9 -isForBrowser -prefsHandle 6132 -prefMapHandle 4900 -prefsLen 31069 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff254255-81dc-4adf-bffe-19c3347b6941} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2884 1b5bdfda258 tab
                              3⤵
                                PID:5352
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.11.1775695385\752754274" -childID 10 -isForBrowser -prefsHandle 6028 -prefMapHandle 6032 -prefsLen 31069 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d23de00-4b5c-44f1-9646-faab6c2db9c8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2720 1b5bdfdb158 tab
                                3⤵
                                  PID:2124
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.12.1218192411\926714357" -childID 11 -isForBrowser -prefsHandle 7384 -prefMapHandle 7380 -prefsLen 31413 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2cd2e2-a9ff-4bbc-b6d1-e19318307dcd} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 7396 1b5c2227858 tab
                                  3⤵
                                    PID:3784
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of SetWindowsHookEx
                                PID:2460
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:1368
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of SetWindowsHookEx
                                PID:3672
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:4232
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:3736
                                • C:\Program Files\7-Zip\7zFM.exe
                                  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FreeDon.rar"
                                  1⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:4496
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                  1⤵
                                    PID:5256
                                  • C:\Windows\system32\taskmgr.exe
                                    "C:\Windows\system32\taskmgr.exe" /0
                                    1⤵
                                    • Checks SCSI registry key(s)
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:5952
                                  • C:\Users\Admin\Desktop\FreeDon.exe
                                    "C:\Users\Admin\Desktop\FreeDon.exe"
                                    1⤵
                                    • Drops startup file
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5252
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\FreeDon.exe'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4852
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FreeDon.exe'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5752
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6084
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan'
                                      2⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2132
                                    • C:\Windows\System32\schtasks.exe
                                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Nursultan" /tr "C:\Users\Admin\AppData\Roaming\Nursultan"
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:4320
                                  • C:\Users\Admin\AppData\Roaming\Nursultan
                                    C:\Users\Admin\AppData\Roaming\Nursultan
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2100
                                  • C:\Windows\system32\taskmgr.exe
                                    "C:\Windows\system32\taskmgr.exe" /0
                                    1⤵
                                      PID:6068
                                    • C:\Users\Admin\AppData\Roaming\Nursultan
                                      C:\Users\Admin\AppData\Roaming\Nursultan
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5196
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k SDRSVC
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5812
                                    • C:\Windows\system32\taskmgr.exe
                                      "C:\Windows\system32\taskmgr.exe" /0
                                      1⤵
                                        PID:4480
                                      • C:\Users\Admin\AppData\Roaming\Nursultan
                                        C:\Users\Admin\AppData\Roaming\Nursultan
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:6120
                                      • C:\Users\Admin\AppData\Roaming\Nursultan
                                        C:\Users\Admin\AppData\Roaming\Nursultan
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4616
                                      • C:\Users\Admin\AppData\Roaming\Nursultan
                                        C:\Users\Admin\AppData\Roaming\Nursultan
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2564
                                      • C:\Users\Admin\AppData\Roaming\Nursultan
                                        C:\Users\Admin\AppData\Roaming\Nursultan
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5456
                                      • C:\Users\Admin\AppData\Roaming\Nursultan
                                        C:\Users\Admin\AppData\Roaming\Nursultan
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5536
                                      • C:\Windows\system32\LogonUI.exe
                                        "LogonUI.exe" /flags:0x4 /state0:0xa39f8055 /state1:0x41c64e6d
                                        1⤵
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5404

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Program Files\7-Zip\7-zip.dll

                                        Filesize

                                        99KB

                                        MD5

                                        7ec019d8445f4dcdb91a380c9d592957

                                        SHA1

                                        15fd8375e2e282a90d3df14041272e5ac29e7c93

                                        SHA256

                                        1cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03

                                        SHA512

                                        d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b

                                      • C:\Program Files\7-Zip\7z.dll

                                        Filesize

                                        1.8MB

                                        MD5

                                        1939f878ae8d0cbcc553007480a0c525

                                        SHA1

                                        df9255af8e398e72925309b840b14df1ae504805

                                        SHA256

                                        86926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19

                                        SHA512

                                        a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd

                                      • C:\Program Files\7-Zip\7zFM.exe

                                        Filesize

                                        960KB

                                        MD5

                                        5764deed342ca47eb4b97ae94eedc524

                                        SHA1

                                        e9cbefd32e5ddd0d914e98cfb0df2592bebc5987

                                        SHA256

                                        c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f

                                        SHA512

                                        6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18

                                      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk

                                        Filesize

                                        783B

                                        MD5

                                        f75bca5e458bc373b27178fedbc08dde

                                        SHA1

                                        69925e8380fef1675a832ad80072045c68496975

                                        SHA256

                                        a9f1d0387cbd5f76e755aca09714df5a3f59f89c72058a089d664b3e3151dc2a

                                        SHA512

                                        89beec9f5b4a1a30bd39aac88d9b76ca604edf53fdd18fde4b4fdf04669f6119bd681a8f901a64e3afa4adf4d7abad2f3fbb055ca86c0e448efbebe45e6bdab9

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.log

                                        Filesize

                                        654B

                                        MD5

                                        2cbbb74b7da1f720b48ed31085cbd5b8

                                        SHA1

                                        79caa9a3ea8abe1b9c4326c3633da64a5f724964

                                        SHA256

                                        e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                                        SHA512

                                        ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        627073ee3ca9676911bee35548eff2b8

                                        SHA1

                                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                        SHA256

                                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                        SHA512

                                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                        Filesize

                                        14KB

                                        MD5

                                        bf27ba6e5bbaa32e7d473c8e30a10b21

                                        SHA1

                                        cc9d5ad6944fa4c24306e538d088e91bcf9490bf

                                        SHA256

                                        02c40d29f8dc493a8fc393a9ca22836936bbc373025a0653280ca8ea5069b4c9

                                        SHA512

                                        4447cf6a9ccc79848ebe60bee8631477691d0a5ea065002d38a45f26f553d3d69f17180a72e1a9589ceb179c12b881acdb1d17d73ba69e4b3a8a79ca101586dd

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                        Filesize

                                        14KB

                                        MD5

                                        6439b876c1256338dff766ec21e4894b

                                        SHA1

                                        04d86ce1b131612ed97fd1f2173858d201b7c4a2

                                        SHA256

                                        a630e5fb067734f287859c60bdb047fc11d79645e80b6cdf87e102904ae8da23

                                        SHA512

                                        5e67786415d41a92e9f3e609a167a38dc7d4ce00e3cdb7f6759cba03b4cf3c90d1d73759d0a9df3a53c910ac250754729b69bb1c6e533f5f8b341654d9e7b044

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                                        SHA1

                                        fed70ce7834c3b97edbd078eccda1e5effa527cd

                                        SHA256

                                        21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                                        SHA512

                                        1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        80b42fe4c6cf64624e6c31e5d7f2d3b3

                                        SHA1

                                        1f93e7dd83b86cb900810b7e3e43797868bf7d93

                                        SHA256

                                        ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

                                        SHA512

                                        83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        de72a228bcabf1530b028259a45904a8

                                        SHA1

                                        8f584cd6b0e728a72e8fea86aeed8c308a80c95e

                                        SHA256

                                        3aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411

                                        SHA512

                                        762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2

                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp

                                        Filesize

                                        23KB

                                        MD5

                                        96506344c2ca375182f16025551f0775

                                        SHA1

                                        487b24589c56894868a1e3043589e8890e22ab6e

                                        SHA256

                                        ae86706049383e1e6061b2d8da676cc679487c5b4d13500c8ea5bf629f09801a

                                        SHA512

                                        25cadc5033d293b98980d6891c3baafb2afb73c22894ae2bd42e47ca0b925181ff932b59a5ed2fc8cdaabd9ba7fb5e02331d3eba348ea5c4964b2353affe764b

                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

                                        Filesize

                                        13KB

                                        MD5

                                        ed0a8e0ffc0766398f67c2ff35a65ef7

                                        SHA1

                                        1349610802bd524f47448a02104a02fac6e36d32

                                        SHA256

                                        9146fb9ae7faf47a075ea2967e31f2f32dfe0cb3f4224e963ec35420b628240c

                                        SHA512

                                        81a62bdb015b4914a99e641fa8c9b4b98391c1aa8d1a7079834a80ad1cba244fe6a8ac26796330a7047886a86d0b44439b1b403bda22fed849688323fe1ddaf6

                                      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                        Filesize

                                        10KB

                                        MD5

                                        e9aa12ff0be6d995ed86f8cf88678158

                                        SHA1

                                        e5ee38fc2ebef0fcbc3059dee29b39f7daf21931

                                        SHA256

                                        f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561

                                        SHA512

                                        95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3yo1j3i.ou3.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                        Filesize

                                        442KB

                                        MD5

                                        85430baed3398695717b0263807cf97c

                                        SHA1

                                        fffbee923cea216f50fce5d54219a188a5100f41

                                        SHA256

                                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                        SHA512

                                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                        Filesize

                                        8.0MB

                                        MD5

                                        a01c5ecd6108350ae23d2cddf0e77c17

                                        SHA1

                                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                        SHA256

                                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                        SHA512

                                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                        Filesize

                                        14KB

                                        MD5

                                        da7f697acf9dcd10f7ceabb1c61b5161

                                        SHA1

                                        ebbbfd4b7c547b7fbb9f32ed99e864772e5ca0ab

                                        SHA256

                                        d9780ac6eb7d3e14404378637a7850f2c789de1f8b9e5202792e5aee46d0d2f2

                                        SHA512

                                        2fba3d34aa5c0d5ca37d92dcf02b07b8b5f0ecb104f4cd742e7e11cacb3ed871d2054c87ef4ab4807afe50220b47142b8b67928b081a7a50f18ac802391b30be

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                        Filesize

                                        15KB

                                        MD5

                                        a0f41b475d109b9b1890669039c8d3f6

                                        SHA1

                                        ce9f62eb336c1afce96001c148579bf435a5e64b

                                        SHA256

                                        ae367527b14b5058395bf9bb9f8980f7a14a094ac61766bf31566ec0d11ffcc8

                                        SHA512

                                        bc42e2cb63b587ff51324546b13e4bddf69730d08ea6708fb54b09792826cdc6d4c4296c5e453e652424cca83a00363f171306f92efd3adb515dcdc2d5c6864b

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                        Filesize

                                        15KB

                                        MD5

                                        950eb26a1f1841aeb80c63e78a1936dd

                                        SHA1

                                        0e2abaa973a49cd50ac1fd92c1157a81d91d2c59

                                        SHA256

                                        c2106d9d1fcafdffbc7d3c346d7479496c46f48fe9cbc12c45790994a959df36

                                        SHA512

                                        e9f2f189bd78b1433536249ae37fa5e40d075c10d1b6615e79092cfed1cd55e2bca742da73ee48fe0fd530e66de85b58cd2c62dc6e1ae09d545a79fe45e4b580

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                        Filesize

                                        15KB

                                        MD5

                                        0c414731e876cb9af97d4ab69930b589

                                        SHA1

                                        2be0b374c4840d920ffeeaf3a559af9956c23860

                                        SHA256

                                        bb136f084b3dce1332f1f474004ea35b16a0c161e86c4370aacac421db4ae336

                                        SHA512

                                        98183f6ead1a98ecd364525d92a36638743d95c4c7ed6524b746f60094e214abdb75fdefdd447a97e3feb29a5d5a6d1fd855120ea656e8a6fc2e173550ab07c2

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nursultan.lnk

                                        Filesize

                                        759B

                                        MD5

                                        5a57ee4d5dd5195140a2e17d46a3757d

                                        SHA1

                                        d3d328506078ea28450e8a4417dc051e4d636536

                                        SHA256

                                        48e88d13eef82e3cff64b7ec47f51b1e7978c14eea0c835376c5ffa30c19ec32

                                        SHA512

                                        23bee69d319ae1a4a9a7cb5cb5b89b2fe51b8dbed26cb73cecf474f4ed6a736d7cae3ceebec5c6c4c9487f36f7bbecf94da3ad0a61461df378778215d77e74dc

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\datareporting\glean\db\data.safe.bin

                                        Filesize

                                        182B

                                        MD5

                                        b1c8aa9861b461806c9e738511edd6ae

                                        SHA1

                                        fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

                                        SHA256

                                        7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

                                        SHA512

                                        841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                        Filesize

                                        997KB

                                        MD5

                                        fe3355639648c417e8307c6d051e3e37

                                        SHA1

                                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                        SHA256

                                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                        SHA512

                                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                        Filesize

                                        116B

                                        MD5

                                        3d33cdc0b3d281e67dd52e14435dd04f

                                        SHA1

                                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                        SHA256

                                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                        SHA512

                                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                        Filesize

                                        479B

                                        MD5

                                        49ddb419d96dceb9069018535fb2e2fc

                                        SHA1

                                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                        SHA256

                                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                        SHA512

                                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                        Filesize

                                        372B

                                        MD5

                                        8be33af717bb1b67fbd61c3f4b807e9e

                                        SHA1

                                        7cf17656d174d951957ff36810e874a134dd49e0

                                        SHA256

                                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                        SHA512

                                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                        Filesize

                                        11.8MB

                                        MD5

                                        33bf7b0439480effb9fb212efce87b13

                                        SHA1

                                        cee50f2745edc6dc291887b6075ca64d716f495a

                                        SHA256

                                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                        SHA512

                                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                        Filesize

                                        1KB

                                        MD5

                                        688bed3676d2104e7f17ae1cd2c59404

                                        SHA1

                                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                        SHA256

                                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                        SHA512

                                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                        Filesize

                                        1KB

                                        MD5

                                        937326fead5fd401f6cca9118bd9ade9

                                        SHA1

                                        4526a57d4ae14ed29b37632c72aef3c408189d91

                                        SHA256

                                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                        SHA512

                                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

                                        Filesize

                                        7KB

                                        MD5

                                        6268dc122b69bb3decc6f3553c2fac3e

                                        SHA1

                                        ac4524ae31e1759a24a1c374d2bfb0401b4908b8

                                        SHA256

                                        fd26601d6fe26de94daa4976996fe507708a2bf7e0df2abeaa14445fe6925d60

                                        SHA512

                                        a79a005de36381468ddc5b3a486cfc3919374406db43e576014d672800688c01600cb914b8b08a6ab30f6524ed4a075ead5c55f7b503894b91fb428e85794b5e

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

                                        Filesize

                                        6KB

                                        MD5

                                        ae178de4c8f860bf113cb08a352463ef

                                        SHA1

                                        b88b747ad0cbbf62446822fb0491bdc56572bae4

                                        SHA256

                                        3e36c8ad765d8932c0c09b595329047ec5e9535e287ffedd6edfc417dfdfbd55

                                        SHA512

                                        20785b79f53f13b7ef080accff36555dd81caad38aed119451f929f555a48fce24ebac11bca4b277dd71275d9b5098b0638b840b7c8a18869e7d1125437c7a80

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

                                        Filesize

                                        7KB

                                        MD5

                                        34f7d1715000739dadf374bbbdf86c75

                                        SHA1

                                        bbd06472af1fb9bce8ffafbcd606f2d83ff87a8c

                                        SHA256

                                        287b7c1009566bdeda3c5718d08fc2a14506e186e728b189362d127b3ecb7329

                                        SHA512

                                        e93e70b46b2cab1da60d4767bd2ac1c7a21953ec11429e6685f8f1cab910deb550a8d96c76a9a910b954262f78d6bd2e9825137756fb0c304869ad08c346b7bf

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionCheckpoints.json.tmp

                                        Filesize

                                        259B

                                        MD5

                                        c8dc58eff0c029d381a67f5dca34a913

                                        SHA1

                                        3576807e793473bcbd3cf7d664b83948e3ec8f2d

                                        SHA256

                                        4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                                        SHA512

                                        b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        1KB

                                        MD5

                                        10b0539c8890a39155b8e26d56f474ab

                                        SHA1

                                        f37122efbfcaf85d299c0c3780df24fb2b482342

                                        SHA256

                                        b567af3f4e0152d1a2c98055faf0c8726014372753e0e73e9030963305eee384

                                        SHA512

                                        107c40a0b9fc35389be785b0d7c7e17d172c09e54694c2858440174a9f44694679efd5a21e12c70c08d54baeed064e807c5d662c49d00972902763a3be6a5a7d

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        2KB

                                        MD5

                                        81b66c46094a0fc160e257087561ab09

                                        SHA1

                                        5d5cf7626046eef1902fdcc9796545e87f6b89a9

                                        SHA256

                                        f8280e20b561eaafb52e02ef49e96dad43b0696c5faa3cb4890be95259b2bc5b

                                        SHA512

                                        b9d0960b164d6e415c88290eaa8750ae330a735d432fcdfddd971bc95ee9b437bee522b52dec32fbe1b11fc771a5f368a17692599451bdf05e97ecfe30e46c7d

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        1KB

                                        MD5

                                        58f477f0b28e9753878512afef780ceb

                                        SHA1

                                        a5ba86dd7996b2df2b606a8124589b2c5c9c338f

                                        SHA256

                                        4bab9f984d8d2bbe7bab48ce877376f9185319763541a88d53c74083a7f22354

                                        SHA512

                                        f0409e82f61627ef8f943d41d3c60e53024c5959242cf289fab9e021b281095a9b18c52bd2ae43a9bcc1dda1fb56bef5c4cf7a16d89488026ed68c70a7362947

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        2KB

                                        MD5

                                        28fb4aeac021ceb4d79de0fdd2589dcc

                                        SHA1

                                        15a19474e01e23d8fb5ee51caa02e6ad59474ad2

                                        SHA256

                                        34b6e8f93abee214b79a68e599a942d77a59022e057ded7f48729199cd509e42

                                        SHA512

                                        a64e052b4681259ef5c2ec4e3b44e8d41464c228df5707188d0b33e27cfd01327198a4774fc68aa00b5313214fe95cebebf3cc0cb1c6da1d46cd0a7f225e7b79

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        3KB

                                        MD5

                                        40a5130eb4a500db6ebec3a783e417d3

                                        SHA1

                                        74e89946a97a86d12bff97c324b6e6bbfb3a0a49

                                        SHA256

                                        f282235bf5855ec89a7a4d3027f88d4db4ce018ef14d1b0b0bc62c59597d38c3

                                        SHA512

                                        ea47a8a40a741ffdc630d1d61c57eda9a382b05676440d45d657050e2b48efef62f5311011ced14600d59cc637be3f9b9a315c2ba47dee79e485ad29febd811b

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4

                                        Filesize

                                        2KB

                                        MD5

                                        895b515d053be005553b962b3a91c16c

                                        SHA1

                                        11fc8c4498f8d418e59f0a0a3541390a7010ce80

                                        SHA256

                                        7542ebe7fba865d26f7599c418555977b7adf397b4c7a8e8ad4137c57772ef84

                                        SHA512

                                        becdf2d5c9ee23e9ec5227fcfed08dbbd12f767652bbdcb3778e0d89608818d7f259bf70c9bfbf7acc08a35d24b6b86d05bfa2feea9583ad03dc5737b614905e

                                      • C:\Users\Admin\Desktop\FreeDon.exe

                                        Filesize

                                        41KB

                                        MD5

                                        e1f17ea0754c07f8090d366d4d8600d9

                                        SHA1

                                        ece42940360b736f5a087461d59d4e7d20e23a17

                                        SHA256

                                        e1374461ee3fbb33b746a65eec26bf5b0f3a4dcec6f2b4086f2805bf14927509

                                        SHA512

                                        78d81fb23100fb125348da151c4ed16ca88b07d52b451684b64712286ec70069f9a47539d34856b8050f60b0cfff40bf1af476ee153fb29cc18acb842dc1aa26

                                      • C:\Users\Admin\Downloads\7z2406-x64.exe

                                        Filesize

                                        1.5MB

                                        MD5

                                        d8af785ca5752bae36e8af5a2f912d81

                                        SHA1

                                        54da15671ad8a765f3213912cba8ebd8dac1f254

                                        SHA256

                                        6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807

                                        SHA512

                                        b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75

                                      • C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier

                                        Filesize

                                        617B

                                        MD5

                                        7d95d0b5da2fd9a23817a4869a408ad2

                                        SHA1

                                        3fc1121716b660f5c0f7f80ec2e88ea87e9363ca

                                        SHA256

                                        813143a66c9957854e6800c69c9a6b9f5c6955a1b311009f1a17ca45ede3cf1e

                                        SHA512

                                        15f1481027adefc71f012a0d3f606619e17cf4653f328cfa9121ea4cbf35006677cc7207dc1ff3a518ecbb6290ecb5a4a865ee8b86f21be922271942cd2c656d

                                      • C:\Users\Admin\Downloads\FreeDon.upMQfKUs.rar.part

                                        Filesize

                                        19KB

                                        MD5

                                        d35953088cc948dd9eda4f1ce2432997

                                        SHA1

                                        6a62948696fc3c4cd269b77d3dd7ab4445c1d020

                                        SHA256

                                        348d2d9b00d2cb37539896f41be890ba0378a0177756308e0f38fcf993d3dd73

                                        SHA512

                                        12d35dbd6306bf06b6320c3be9ad8bc251c44f6ef7e82524368f22e85af0ca172904f56dc1bfaaffb876c7d9000a48f4ebe8b7a09913a02266d792c6d52866bd

                                      • memory/4852-562-0x00000226CF440000-0x00000226CF462000-memory.dmp

                                        Filesize

                                        136KB

                                      • memory/5252-559-0x0000000000C70000-0x0000000000C80000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/5952-553-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-551-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-554-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-546-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-550-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-545-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-544-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-552-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-556-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/5952-555-0x000002B50D120000-0x000002B50D121000-memory.dmp

                                        Filesize

                                        4KB