Analysis Overview
SHA256
e3d68cda13fa8087a4e6d36b1cde74ceb514b36f6814e41d40d423cb125586be
Threat Level: Known bad
The file furinaa.jpg was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Registers COM server for autorun
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Modifies registry class
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 14:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 14:54
Reported
2024-05-30 15:05
Platform
win11-20240508-en
Max time kernel
549s
Max time network
550s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nursultan.lnk | C:\Users\Admin\Desktop\FreeDon.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nursultan.lnk | C:\Users\Admin\Desktop\FreeDon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\FreeDon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Roaming\\Nursultan" | C:\Users\Admin\Desktop\FreeDon.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\History.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lv.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ta.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sk.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tg.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ca.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\et.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spl.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nb.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sv.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cy.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tk.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kaa.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bg.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\it.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\is.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pl.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fur.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hy.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hr.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku-ckb.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz-cyrl.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\descript.ion | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gl.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lt.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ro.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fa.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-cn.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uk.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-tw.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng2.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nn.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spc.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\de.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mr.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tt.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\io.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ps.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eo.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\es.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sl.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eu.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \Registry\User\S-1-5-21-1672260578-815027929-964132517-1000_Classes\NotificationData | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\Downloads\7z2406-x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000be580277110050524f4752417e310000740009000400efbec5525961be5803772e0000003f0000000000010000000000000000004a000000000034622700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\FreeDon.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\furinaa.jpg
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.0.663054079\1644667076" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1424 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e04cf7b-f1aa-4f56-abfa-67f57c12abd1} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 1896 1b5b560ef58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.1.1185038849\852847661" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee0d59c3-2d61-4421-8936-09ec85d725d8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2420 1b5a888a858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.2.1353432806\1624256194" -childID 1 -isForBrowser -prefsHandle 1716 -prefMapHandle 1596 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a458e16a-e391-4ca6-ace7-07ff4873de65} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2908 1b5b7dee558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.3.433532953\1147322840" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4123d1e-66ee-478f-8188-eb2f52388e19} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 3564 1b5bb01ff58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.4.1007862898\1606920020" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854881ce-6604-4fcb-8832-6c7593b1aa4c} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5044 1b5a8880d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.5.737695518\854914208" -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d609e15c-c57d-4644-ab2e-8d8a4e4db261} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5208 1b5bbde1358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.6.448346326\965839413" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5212 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0cca9c-a2ad-493a-aca6-e6d7616963da} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5400 1b5bd464f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.7.557364378\1028396740" -childID 6 -isForBrowser -prefsHandle 4788 -prefMapHandle 5936 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b4a8f31-eb04-4bf0-87ff-91462a442c1c} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 5948 1b5bdf64558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.8.1157311089\502990718" -childID 7 -isForBrowser -prefsHandle 6060 -prefMapHandle 6048 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea0ed98-e454-4fd7-9de3-8a6ebc5eaa6e} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2980 1b5be38db58 tab
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.9.1237305292\907416870" -childID 8 -isForBrowser -prefsHandle 6848 -prefMapHandle 6832 -prefsLen 28215 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9deb87e-5ac6-4a38-b99a-19bea08a62ff} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 6808 1b5b7df0658 tab
C:\Users\Admin\Downloads\7z2406-x64.exe
"C:\Users\Admin\Downloads\7z2406-x64.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FreeDon.rar"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\Desktop\FreeDon.exe
"C:\Users\Admin\Desktop\FreeDon.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\FreeDon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FreeDon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Nursultan" /tr "C:\Users\Admin\AppData\Roaming\Nursultan"
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.10.1431935357\502982388" -childID 9 -isForBrowser -prefsHandle 6132 -prefMapHandle 4900 -prefsLen 31069 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff254255-81dc-4adf-bffe-19c3347b6941} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2884 1b5bdfda258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.11.1775695385\752754274" -childID 10 -isForBrowser -prefsHandle 6028 -prefMapHandle 6032 -prefsLen 31069 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d23de00-4b5c-44f1-9646-faab6c2db9c8} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 2720 1b5bdfdb158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2368.12.1218192411\926714357" -childID 11 -isForBrowser -prefsHandle 7384 -prefMapHandle 7380 -prefsLen 31413 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2cd2e2-a9ff-4bbc-b6d1-e19318307dcd} 2368 "\\.\pipe\gecko-crash-server-pipe.2368" 7396 1b5c2227858 tab
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Users\Admin\AppData\Roaming\Nursultan
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f8055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 44.230.111.112:443 | shavar.prod.mozaws.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49728 | tcp | |
| N/A | 127.0.0.1:49735 | tcp | |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 77.88.21.148:443 | docviewer.yandex.ru | tcp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 77.88.55.88:443 | yandex.ru | tcp |
| RU | 87.250.250.90:443 | an.yandex.ru | tcp |
| RU | 87.250.250.90:443 | an.yandex.ru | tcp |
| RU | 77.88.21.90:443 | an.yandex.ru | tcp |
| RU | 93.158.134.36:443 | favicon.yandex.net | tcp |
| RU | 87.250.247.183:443 | avatars.mds.yandex.net | tcp |
| RU | 87.250.250.90:443 | an.yandex.ru | tcp |
| RU | 77.88.21.90:443 | an.yandex.ru | tcp |
| RU | 77.88.21.90:443 | an.yandex.ru | tcp |
| RU | 213.180.204.158:443 | storage.mds.yandex.net | tcp |
| RU | 77.88.21.127:443 | downloader.disk.yandex.ru | tcp |
| RU | 5.45.227.45:443 | s875sas.storage.yandex.net | tcp |
| RU | 195.209.108.50:443 | ad.adriver.ru | tcp |
| DE | 49.12.202.237:80 | 7-zip.org | tcp |
| DE | 49.12.202.237:80 | 7-zip.org | tcp |
| DE | 49.12.202.237:443 | 7-zip.org | tcp |
| DE | 49.12.202.237:443 | 7-zip.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| GB | 184.28.176.10:443 | tcp | |
| US | 20.189.173.28:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 222.197.79.204.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| DE | 23.53.40.162:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.40.53.23.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 7-zip.org | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 7-zip.org | udp |
| DE | 49.12.202.237:443 | 7-zip.org | tcp |
| US | 8.8.8.8:53 | 7-zip.org | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| DE | 49.12.202.237:443 | 7-zip.org | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 147.185.221.19:53471 | interest-specialty.gl.at.ply.gg | tcp |
| GB | 184.28.176.10:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 96506344c2ca375182f16025551f0775 |
| SHA1 | 487b24589c56894868a1e3043589e8890e22ab6e |
| SHA256 | ae86706049383e1e6061b2d8da676cc679487c5b4d13500c8ea5bf629f09801a |
| SHA512 | 25cadc5033d293b98980d6891c3baafb2afb73c22894ae2bd42e47ca0b925181ff932b59a5ed2fc8cdaabd9ba7fb5e02331d3eba348ea5c4964b2353affe764b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
| MD5 | ae178de4c8f860bf113cb08a352463ef |
| SHA1 | b88b747ad0cbbf62446822fb0491bdc56572bae4 |
| SHA256 | 3e36c8ad765d8932c0c09b595329047ec5e9535e287ffedd6edfc417dfdfbd55 |
| SHA512 | 20785b79f53f13b7ef080accff36555dd81caad38aed119451f929f555a48fce24ebac11bca4b277dd71275d9b5098b0638b840b7c8a18869e7d1125437c7a80 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 58f477f0b28e9753878512afef780ceb |
| SHA1 | a5ba86dd7996b2df2b606a8124589b2c5c9c338f |
| SHA256 | 4bab9f984d8d2bbe7bab48ce877376f9185319763541a88d53c74083a7f22354 |
| SHA512 | f0409e82f61627ef8f943d41d3c60e53024c5959242cf289fab9e021b281095a9b18c52bd2ae43a9bcc1dda1fb56bef5c4cf7a16d89488026ed68c70a7362947 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
| MD5 | 34f7d1715000739dadf374bbbdf86c75 |
| SHA1 | bbd06472af1fb9bce8ffafbcd606f2d83ff87a8c |
| SHA256 | 287b7c1009566bdeda3c5718d08fc2a14506e186e728b189362d127b3ecb7329 |
| SHA512 | e93e70b46b2cab1da60d4767bd2ac1c7a21953ec11429e6685f8f1cab910deb550a8d96c76a9a910b954262f78d6bd2e9825137756fb0c304869ad08c346b7bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 10b0539c8890a39155b8e26d56f474ab |
| SHA1 | f37122efbfcaf85d299c0c3780df24fb2b482342 |
| SHA256 | b567af3f4e0152d1a2c98055faf0c8726014372753e0e73e9030963305eee384 |
| SHA512 | 107c40a0b9fc35389be785b0d7c7e17d172c09e54694c2858440174a9f44694679efd5a21e12c70c08d54baeed064e807c5d662c49d00972902763a3be6a5a7d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 28fb4aeac021ceb4d79de0fdd2589dcc |
| SHA1 | 15a19474e01e23d8fb5ee51caa02e6ad59474ad2 |
| SHA256 | 34b6e8f93abee214b79a68e599a942d77a59022e057ded7f48729199cd509e42 |
| SHA512 | a64e052b4681259ef5c2ec4e3b44e8d41464c228df5707188d0b33e27cfd01327198a4774fc68aa00b5313214fe95cebebf3cc0cb1c6da1d46cd0a7f225e7b79 |
C:\Users\Admin\Downloads\FreeDon.upMQfKUs.rar.part
| MD5 | d35953088cc948dd9eda4f1ce2432997 |
| SHA1 | 6a62948696fc3c4cd269b77d3dd7ab4445c1d020 |
| SHA256 | 348d2d9b00d2cb37539896f41be890ba0378a0177756308e0f38fcf993d3dd73 |
| SHA512 | 12d35dbd6306bf06b6320c3be9ad8bc251c44f6ef7e82524368f22e85af0ca172904f56dc1bfaaffb876c7d9000a48f4ebe8b7a09913a02266d792c6d52866bd |
C:\Users\Admin\Downloads\7z2406-x64.exe
| MD5 | d8af785ca5752bae36e8af5a2f912d81 |
| SHA1 | 54da15671ad8a765f3213912cba8ebd8dac1f254 |
| SHA256 | 6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807 |
| SHA512 | b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 81b66c46094a0fc160e257087561ab09 |
| SHA1 | 5d5cf7626046eef1902fdcc9796545e87f6b89a9 |
| SHA256 | f8280e20b561eaafb52e02ef49e96dad43b0696c5faa3cb4890be95259b2bc5b |
| SHA512 | b9d0960b164d6e415c88290eaa8750ae330a735d432fcdfddd971bc95ee9b437bee522b52dec32fbe1b11fc771a5f368a17692599451bdf05e97ecfe30e46c7d |
C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier
| MD5 | 7d95d0b5da2fd9a23817a4869a408ad2 |
| SHA1 | 3fc1121716b660f5c0f7f80ec2e88ea87e9363ca |
| SHA256 | 813143a66c9957854e6800c69c9a6b9f5c6955a1b311009f1a17ca45ede3cf1e |
| SHA512 | 15f1481027adefc71f012a0d3f606619e17cf4653f328cfa9121ea4cbf35006677cc7207dc1ff3a518ecbb6290ecb5a4a865ee8b86f21be922271942cd2c656d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | bf27ba6e5bbaa32e7d473c8e30a10b21 |
| SHA1 | cc9d5ad6944fa4c24306e538d088e91bcf9490bf |
| SHA256 | 02c40d29f8dc493a8fc393a9ca22836936bbc373025a0653280ca8ea5069b4c9 |
| SHA512 | 4447cf6a9ccc79848ebe60bee8631477691d0a5ea065002d38a45f26f553d3d69f17180a72e1a9589ceb179c12b881acdb1d17d73ba69e4b3a8a79ca101586dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 40a5130eb4a500db6ebec3a783e417d3 |
| SHA1 | 74e89946a97a86d12bff97c324b6e6bbfb3a0a49 |
| SHA256 | f282235bf5855ec89a7a4d3027f88d4db4ce018ef14d1b0b0bc62c59597d38c3 |
| SHA512 | ea47a8a40a741ffdc630d1d61c57eda9a382b05676440d45d657050e2b48efef62f5311011ced14600d59cc637be3f9b9a315c2ba47dee79e485ad29febd811b |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | e9aa12ff0be6d995ed86f8cf88678158 |
| SHA1 | e5ee38fc2ebef0fcbc3059dee29b39f7daf21931 |
| SHA256 | f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561 |
| SHA512 | 95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc |
C:\Program Files\7-Zip\7-zip.dll
| MD5 | 7ec019d8445f4dcdb91a380c9d592957 |
| SHA1 | 15fd8375e2e282a90d3df14041272e5ac29e7c93 |
| SHA256 | 1cc179f097ee439bb35a582059cbc727d9cea0d5c43dfaa57f9f03050cfaea03 |
| SHA512 | d71a79091fcc6a96c24d95662a18cc24145b9531145ef0bcb4e882c12f5bb5ca6c7a9b9e50024c9c0bf4cb6bf40dca7627cecbfddd637142d04a194e1956ae9b |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 5764deed342ca47eb4b97ae94eedc524 |
| SHA1 | e9cbefd32e5ddd0d914e98cfb0df2592bebc5987 |
| SHA256 | c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f |
| SHA512 | 6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 6439b876c1256338dff766ec21e4894b |
| SHA1 | 04d86ce1b131612ed97fd1f2173858d201b7c4a2 |
| SHA256 | a630e5fb067734f287859c60bdb047fc11d79645e80b6cdf87e102904ae8da23 |
| SHA512 | 5e67786415d41a92e9f3e609a167a38dc7d4ce00e3cdb7f6759cba03b4cf3c90d1d73759d0a9df3a53c910ac250754729b69bb1c6e533f5f8b341654d9e7b044 |
C:\Program Files\7-Zip\7z.dll
| MD5 | 1939f878ae8d0cbcc553007480a0c525 |
| SHA1 | df9255af8e398e72925309b840b14df1ae504805 |
| SHA256 | 86926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19 |
| SHA512 | a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
| MD5 | f75bca5e458bc373b27178fedbc08dde |
| SHA1 | 69925e8380fef1675a832ad80072045c68496975 |
| SHA256 | a9f1d0387cbd5f76e755aca09714df5a3f59f89c72058a089d664b3e3151dc2a |
| SHA512 | 89beec9f5b4a1a30bd39aac88d9b76ca604edf53fdd18fde4b4fdf04669f6119bd681a8f901a64e3afa4adf4d7abad2f3fbb055ca86c0e448efbebe45e6bdab9 |
memory/5952-544-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-545-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-546-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-552-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-556-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-555-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-554-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-553-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-551-0x000002B50D120000-0x000002B50D121000-memory.dmp
memory/5952-550-0x000002B50D120000-0x000002B50D121000-memory.dmp
C:\Users\Admin\Desktop\FreeDon.exe
| MD5 | e1f17ea0754c07f8090d366d4d8600d9 |
| SHA1 | ece42940360b736f5a087461d59d4e7d20e23a17 |
| SHA256 | e1374461ee3fbb33b746a65eec26bf5b0f3a4dcec6f2b4086f2805bf14927509 |
| SHA512 | 78d81fb23100fb125348da151c4ed16ca88b07d52b451684b64712286ec70069f9a47539d34856b8050f60b0cfff40bf1af476ee153fb29cc18acb842dc1aa26 |
memory/5252-559-0x0000000000C70000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3yo1j3i.ou3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4852-562-0x00000226CF440000-0x00000226CF462000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0a4a3b9a52b8fe3b019f6cd0ef3dad6 |
| SHA1 | fed70ce7834c3b97edbd078eccda1e5effa527cd |
| SHA256 | 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31 |
| SHA512 | 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80b42fe4c6cf64624e6c31e5d7f2d3b3 |
| SHA1 | 1f93e7dd83b86cb900810b7e3e43797868bf7d93 |
| SHA256 | ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d |
| SHA512 | 83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de72a228bcabf1530b028259a45904a8 |
| SHA1 | 8f584cd6b0e728a72e8fea86aeed8c308a80c95e |
| SHA256 | 3aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411 |
| SHA512 | 762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nursultan.lnk
| MD5 | 5a57ee4d5dd5195140a2e17d46a3757d |
| SHA1 | d3d328506078ea28450e8a4417dc051e4d636536 |
| SHA256 | 48e88d13eef82e3cff64b7ec47f51b1e7978c14eea0c835376c5ffa30c19ec32 |
| SHA512 | 23bee69d319ae1a4a9a7cb5cb5b89b2fe51b8dbed26cb73cecf474f4ed6a736d7cae3ceebec5c6c4c9487f36f7bbecf94da3ad0a61461df378778215d77e74dc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | a0f41b475d109b9b1890669039c8d3f6 |
| SHA1 | ce9f62eb336c1afce96001c148579bf435a5e64b |
| SHA256 | ae367527b14b5058395bf9bb9f8980f7a14a094ac61766bf31566ec0d11ffcc8 |
| SHA512 | bc42e2cb63b587ff51324546b13e4bddf69730d08ea6708fb54b09792826cdc6d4c4296c5e453e652424cca83a00363f171306f92efd3adb515dcdc2d5c6864b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | da7f697acf9dcd10f7ceabb1c61b5161 |
| SHA1 | ebbbfd4b7c547b7fbb9f32ed99e864772e5ca0ab |
| SHA256 | d9780ac6eb7d3e14404378637a7850f2c789de1f8b9e5202792e5aee46d0d2f2 |
| SHA512 | 2fba3d34aa5c0d5ca37d92dcf02b07b8b5f0ecb104f4cd742e7e11cacb3ed871d2054c87ef4ab4807afe50220b47142b8b67928b081a7a50f18ac802391b30be |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
| MD5 | 6268dc122b69bb3decc6f3553c2fac3e |
| SHA1 | ac4524ae31e1759a24a1c374d2bfb0401b4908b8 |
| SHA256 | fd26601d6fe26de94daa4976996fe507708a2bf7e0df2abeaa14445fe6925d60 |
| SHA512 | a79a005de36381468ddc5b3a486cfc3919374406db43e576014d672800688c01600cb914b8b08a6ab30f6524ed4a075ead5c55f7b503894b91fb428e85794b5e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
| MD5 | ed0a8e0ffc0766398f67c2ff35a65ef7 |
| SHA1 | 1349610802bd524f47448a02104a02fac6e36d32 |
| SHA256 | 9146fb9ae7faf47a075ea2967e31f2f32dfe0cb3f4224e963ec35420b628240c |
| SHA512 | 81a62bdb015b4914a99e641fa8c9b4b98391c1aa8d1a7079834a80ad1cba244fe6a8ac26796330a7047886a86d0b44439b1b403bda22fed849688323fe1ddaf6 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 0c414731e876cb9af97d4ab69930b589 |
| SHA1 | 2be0b374c4840d920ffeeaf3a559af9956c23860 |
| SHA256 | bb136f084b3dce1332f1f474004ea35b16a0c161e86c4370aacac421db4ae336 |
| SHA512 | 98183f6ead1a98ecd364525d92a36638743d95c4c7ed6524b746f60094e214abdb75fdefdd447a97e3feb29a5d5a6d1fd855120ea656e8a6fc2e173550ab07c2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 950eb26a1f1841aeb80c63e78a1936dd |
| SHA1 | 0e2abaa973a49cd50ac1fd92c1157a81d91d2c59 |
| SHA256 | c2106d9d1fcafdffbc7d3c346d7479496c46f48fe9cbc12c45790994a959df36 |
| SHA512 | e9f2f189bd78b1433536249ae37fa5e40d075c10d1b6615e79092cfed1cd55e2bca742da73ee48fe0fd530e66de85b58cd2c62dc6e1ae09d545a79fe45e4b580 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\datareporting\glean\db\data.safe.bin
| MD5 | b1c8aa9861b461806c9e738511edd6ae |
| SHA1 | fe13c1bbc7e323845cbe6a1bb89259cbd05595f8 |
| SHA256 | 7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70 |
| SHA512 | 841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4
| MD5 | 895b515d053be005553b962b3a91c16c |
| SHA1 | 11fc8c4498f8d418e59f0a0a3541390a7010ce80 |
| SHA256 | 7542ebe7fba865d26f7599c418555977b7adf397b4c7a8e8ad4137c57772ef84 |
| SHA512 | becdf2d5c9ee23e9ec5227fcfed08dbbd12f767652bbdcb3778e0d89608818d7f259bf70c9bfbf7acc08a35d24b6b86d05bfa2feea9583ad03dc5737b614905e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionCheckpoints.json.tmp
| MD5 | c8dc58eff0c029d381a67f5dca34a913 |
| SHA1 | 3576807e793473bcbd3cf7d664b83948e3ec8f2d |
| SHA256 | 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17 |
| SHA512 | b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4 |