Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-05-2024 15:16

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat 22 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\portagentbrowserweb\Containerruntime.exe
          "C:\portagentbrowserweb\Containerruntime.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:204
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2512
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:2248
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\sihost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:64
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1248
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2240
  • C:\Users\Public\Desktop\lsass.exe
    "C:\Users\Public\Desktop\lsass.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5060
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.0.481606486\1095259352" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a65362b-d512-4758-8e50-877670938cee} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 1852 2dafdfd8758 gpu
        3⤵
          PID:3900
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.1.1429527686\1646534139" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea4b75d2-1a25-487e-9e7c-f8e501f9ec21} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 2184 2daf59e2e58 socket
          3⤵
            PID:2432
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.2.177409307\34289349" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2900 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc4b1c03-9ab2-4f59-8d5b-e8438501fcb7} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 3068 2da84cdba58 tab
            3⤵
              PID:2296
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.3.877706393\509023690" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c1d111-a9a8-4320-9d4c-8df40c169558} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 3404 2da834a6e58 tab
              3⤵
                PID:1152
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.4.1713544233\2081598886" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {121c761d-0db3-4b2f-86f6-5d3003b667ec} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 4256 2da86a7a658 tab
                3⤵
                  PID:4488
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.5.2125883994\1694393229" -childID 4 -isForBrowser -prefsHandle 4756 -prefMapHandle 4744 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5ac7c88-bc09-459f-9b57-c1920751ae89} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 4472 2da873fa758 tab
                  3⤵
                    PID:1596
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.6.306947\1751483240" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 5052 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8d31a21-9a19-47f8-96a5-ca5afba8424f} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5036 2da873fad58 tab
                    3⤵
                      PID:3312
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.7.2029447189\45586422" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2085fcbe-ef32-4d5b-801f-32e3cf844d11} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5324 2da873fbf58 tab
                      3⤵
                        PID:3780
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.8.748528905\377455978" -childID 7 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ad1d77-63b9-47d2-bd8f-c6a2fde7600d} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5704 2da88723758 tab
                        3⤵
                          PID:5168
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.9.950250762\1085760762" -parentBuildID 20221007134813 -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ebc99e5-6da7-46bd-aa92-f1741739cee7} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5916 2da88b5d758 rdd
                          3⤵
                            PID:5432
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.10.1998504364\68965365" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6048 -prefMapHandle 6044 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d2e4c3-09c0-46b1-a539-c3b407ff8168} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5916 2da88b5fe58 utility
                            3⤵
                              PID:5456
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.11.892419629\1309683216" -childID 8 -isForBrowser -prefsHandle 6284 -prefMapHandle 6280 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {417847ae-5983-4fd6-9bf9-b31b97319fe9} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6292 2da88ac7e58 tab
                              3⤵
                                PID:5596
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.12.2032108865\1731595784" -childID 9 -isForBrowser -prefsHandle 4356 -prefMapHandle 4280 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f89ab3a5-9d37-491a-940f-55b13dd5c619} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6592 2da86aa3258 tab
                                3⤵
                                  PID:5324
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.13.566393915\2040945924" -childID 10 -isForBrowser -prefsHandle 4356 -prefMapHandle 7200 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8dd735f-8f42-4df1-91ef-623338bb401f} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6228 2da86aa5358 tab
                                  3⤵
                                    PID:4588
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.14.1280319327\1185847357" -childID 11 -isForBrowser -prefsHandle 10456 -prefMapHandle 6536 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96cc1369-015a-4368-b14c-e15b6acabbcc} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 10452 2da8927aa58 tab
                                    3⤵
                                      PID:1144
                                • C:\Windows\system32\AUDIODG.EXE
                                  C:\Windows\system32\AUDIODG.EXE 0x438
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:664

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1619
                                  Filesize

                                  16KB

                                  MD5

                                  8c76e38ecb0d2c86b27447f23c76cc7d

                                  SHA1

                                  d294d68a7d8e3a2038bb66e779ab162ef1b94a31

                                  SHA256

                                  0faf4eeb909126d8275cc21eeee4e70f704f3882d9e1b27faa9666add0c690dc

                                  SHA512

                                  d6ffec013aa84fd683155a16984db60747505c9b4637cadd0cb78d1ce9841bfa72deac2f4626c0a8135d02438e251b1296a75f5f833e55f578048e679df58a87

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1788
                                  Filesize

                                  19KB

                                  MD5

                                  c90faca4ac7410e5e1c1e32670964aaa

                                  SHA1

                                  448ec45fb0a7075e469bed9688bfd35e5921445b

                                  SHA256

                                  4d644b98773a5c7622eb09a4028fe6c31cdd7962d3f701a6380c14e11bb54954

                                  SHA512

                                  d7e911e11a450a0406a0ae8f92ca1b20bcfb04f36622581ddbae4dadf1cfa431e0098f6b0680bdba754c72b31f830fd5f5f5827292df5fc3e52137818e6ad204

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\26742
                                  Filesize

                                  15KB

                                  MD5

                                  a3e2a9afea17a90fd04933a3075a8e0e

                                  SHA1

                                  790846a3080836264f17752f00da6a90768d33ce

                                  SHA256

                                  3616921e5c60fa4ca957fd2acbd5ec7ab7c2983d2cc301b3956a9ef202312746

                                  SHA512

                                  cfaa0b787acad290f05770f109fa63572231b0342db15987a57d9eb145e04b5adf3fff773201511fffbada1e15c1e83de4c3c03c19db6d9898538825c1441974

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\3226
                                  Filesize

                                  15KB

                                  MD5

                                  6d3fe88da0cb85d1876c89703afa799b

                                  SHA1

                                  9c857095997142d3b6e7561a72a21927d8e20504

                                  SHA256

                                  3a8094b637f78af6853e7088493da0b5fc1ec544d31e356a1199bbdb5e30e407

                                  SHA512

                                  6e189ccb3e6bc1e090a11b876b88aa26f218d0099657c995d2f95e3eb38d4ac7809b8113474031160594798fac818693181cd59232196f831c2d3837a820e82d

                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\B3316860430DA0966649580110E85D2FFB7B5A61
                                  Filesize

                                  23KB

                                  MD5

                                  963552580a1ff3625d7dac3cdc766809

                                  SHA1

                                  02edc160d61b35234ddc79b2cd83ee3a69c6efc4

                                  SHA256

                                  ce55597104485c4d5f941ec6593e874d51915460b2bb0989dffc2ca3142f362b

                                  SHA512

                                  938597699f6bea4e2d6874895e4d558ebd0fc6deb150c3bbd679a862cfb2a342b86e069cfd4a24a77ebfe89fca94c6ef64e2b0e43e94f94b4c0b5959d22c9dc0

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
                                  Filesize

                                  2KB

                                  MD5

                                  132011ac6cccb63bd6dbdf33068f0d6b

                                  SHA1

                                  14d922bc9a1b3fca8cfd15a60c7dfde045f63626

                                  SHA256

                                  1771fbda91e79384589e2596f89348f1b8bac26b767de96a386d593a5d61b452

                                  SHA512

                                  6d3e3ee55f80bc07ac9d10f266bee365dc3b5aa7264056701f0ac4c6fd5d5791321ef0f05b14adba5af6618771d8c7bb3cdbc9e79ad267bb57530ba58124226b

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\615f9224-3268-4337-9374-c1dc7f852c8a
                                  Filesize

                                  10KB

                                  MD5

                                  aef1d007a467f5cf27098023e49518bf

                                  SHA1

                                  2ea52fd20a2e480f7607e8af237134b99bb6c1ab

                                  SHA256

                                  c478a05ceb02021724bc2d790ee2d8385a487aba594731c50b525e943a4a8f60

                                  SHA512

                                  53a98cae60ae27e456f3c5f33efed68048339932859e0e8441ecba0b1efe96d645c5e9bd6ec9356278842f61b4434a94448db6c172027e0b775cf746d23b3006

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\efe87705-e89e-42e7-b3e1-d25db96bda79
                                  Filesize

                                  746B

                                  MD5

                                  d06f3e3b25a759191aef2bca5d5f02b4

                                  SHA1

                                  9cb2099d33498470085c961760c1f8eeaf6bae03

                                  SHA256

                                  ca00876d67d446642f3ed73023d04ff2a8e4b4001db896127c696d199610361c

                                  SHA512

                                  5525521a002a35186bd13bd185d25b6380c90a4d86714fe0f42ac4f4d790205566ebcdba9e6178c4632b261e8b5aac4a096f09d74de82e62726e6165049aea3a

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
                                  Filesize

                                  6KB

                                  MD5

                                  729bb85a798dd9496cced39fb7fe086f

                                  SHA1

                                  cf8d42d75ded9dee6b276e4fd038ff253a753b41

                                  SHA256

                                  dec5c5455e6d74c2743311f32f29d7c274bc4ce2bb78b0d30217544ad062425a

                                  SHA512

                                  f31ce7ceda8072c56a3f234e4626b46b94a0f7e7f5cfd17eb7d6130fc7d3295dd86d8a755b49cbc9f48c6f4d0f233ed0c529ea3aa12155e56de7d945bad01a62

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  1KB

                                  MD5

                                  47725092e8694c84a9f4ad473f166626

                                  SHA1

                                  fd81a7a0668236185f16d65db6c408c0e8f6f4d9

                                  SHA256

                                  c93100b088228040179da7bb2f50136ea09b4364be23b55f8e51e6436c89582f

                                  SHA512

                                  38d765b70cd679ff035741345cc0f0f4a13b73dff12576cca4853d86fe78ad5f8a23f58668a9977a5f11f3c1370b7d8458bfacb05c2b41d3932aa8cd516a9119

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  12KB

                                  MD5

                                  2d8dd2f5738d42b16f7877876ab1f5c2

                                  SHA1

                                  2640a254e78db2b95211f2928660f5640f691774

                                  SHA256

                                  e40bd6c15522145c37ddcd4288eba1e9cd8f4af0d615c233722aab4a570a44a5

                                  SHA512

                                  f9a249567dc0881322e2e5d77a6b1ade93fcfa3efce4183fdb7c8c08162fa4a8f8a82cb0f98138451a23354ca0b41aea278a3b09c6b27565fd1c8d474c8b09d8

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  12KB

                                  MD5

                                  ca178bddc62dbcbc4a7f4eda6db1d846

                                  SHA1

                                  f03cca73fd1f95c8b97e28d46509e85d2d355202

                                  SHA256

                                  4d90f225e793df4fe9f982d6992bf25229b705d5e1de565a91d5ae083beddd06

                                  SHA512

                                  0aff9a7552a148e2d5bd7ac6ec3280eca0002f07966a23adeece216ee76ad3413d78036aff1ff5001ad7c84de9d305796740067b803eb7ebcc5751a5bb0d5f8b

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  5KB

                                  MD5

                                  c665de8863129119063d846304404cdd

                                  SHA1

                                  fdc61098846cb021767f44c173b3f7e3685fe6df

                                  SHA256

                                  dc02f8229657368727dd3680ddff64b90e113676232ed7683b521718e032ddc6

                                  SHA512

                                  5f92afb4fde6d251415ac6534689ac385c6aced695de0729337cb769f9b7ba68e2f4cf38d024243327e68666b6b61c4c6cb527d36b16a2a73bd83673f596ff07

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
                                  Filesize

                                  12KB

                                  MD5

                                  075d94e75d4d19e04d22ddc3b7bdff92

                                  SHA1

                                  c6b72b8aec012ea30ce8b9baa396c124cdafe35d

                                  SHA256

                                  573b4acfdc0b941cee66dfce101c550eca8af751a3237f34d0c02381f3cb9b8b

                                  SHA512

                                  11d091ac738c881ac9f9e9fd62aa2b726354f3d513a3cf8a8ab84a218f11b26d87d211bd48d5a919691c3a563512edf5b444470d76d3788c563fd488a16eeb8e

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\cache\morgue\124\{67370385-2399-4edc-801f-9143f393c47c}.final
                                  Filesize

                                  4KB

                                  MD5

                                  c27db3d65048003ad8ef29962ff2d691

                                  SHA1

                                  5bb939f6c5131a93d52da46aa855cd28e3903c81

                                  SHA256

                                  b7e3fb38531eb7a38f67e7ef1562b58bac2cb971940450c11b9f3846927c00a6

                                  SHA512

                                  5e1d75bec2e03a96a92f0d8fec19a0f49b8a88992ea74567eb09b5a823ce57a6cec642c24a6586314672c6cdaddfb1e7d28c8278abbc8412b32974560a493219

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\cache\morgue\127\{f796a8c8-7e7c-4c70-875e-f8dab310657f}.final
                                  Filesize

                                  78KB

                                  MD5

                                  33eb9f44045c5d260694dc8176423e6a

                                  SHA1

                                  8605385621c6170d391ca3c431c2f77d5389ce81

                                  SHA256

                                  d7e5351d8c0acbfda74aec3664eb73337428df65518a38bd45b6554431c159df

                                  SHA512

                                  01c280bf24755e8e9e6167be2cd2d842ea530ef64eaf5bcb59fe7f5cf1f1cec84804e302b702938c3aea273bd204682308c5c1df7e1945c88c90bb1e6cfeb513

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1321911027LCo7g%sCD7a%t1a2b6a2s.sqlite
                                  Filesize

                                  48KB

                                  MD5

                                  cee44dd65c713efe020fef8ace21a072

                                  SHA1

                                  2c61d148b4ae437d6e4d3eaa9b7a8224cebd66cb

                                  SHA256

                                  7b446fd5104ce9207434c527a697fdb2b08852edd2f4b85f6de56af9ae15c846

                                  SHA512

                                  59b11eb9deef79ee37bebb38da3148bae3d23a99fca363ac3744e1105a1f1fa999fb60985afcd832b7ee38b272ee1beeefa87a0042e9ec6cf722ef876cc77713

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1578069077yCt7-%iCt7-%r1e2s6p2o.sqlite
                                  Filesize

                                  64KB

                                  MD5

                                  6e11afa736b3efe3df832f145258901a

                                  SHA1

                                  f51a383183b05a11078c50273ec48b9ec854beb8

                                  SHA256

                                  9006517d4fc231d10a6dbd903bc80570542de2f5e3d3b958545ae572030fee2a

                                  SHA512

                                  9b6de88fb62daff3d1f3e99421afb420217bbf2ceeee57e7ef6f0aef018ba8f0403147389a1e5db5e1dedc958d17ef0c2fcfd49ce58e10c405e23df944e92dc5

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1578069077yCt7-%iCt7-%r1e2s6p2o.sqlite
                                  Filesize

                                  48KB

                                  MD5

                                  ea22d50638c9ad5d88c5213179a2c8e7

                                  SHA1

                                  edcb3de510418e3d3afa7c7b6b87da5f9c885a9d

                                  SHA256

                                  ae60c9add684f96cff31352bbf45583a8792d54f9940fa1088fae753d0d86ebe

                                  SHA512

                                  66fb0b752664da366d8096387eb46ab3fae752eb4be0b7979c103b51fa9af044467b6a0c8b36a62375ef5e8b0d60f81359b45f7dacff33935ebe6a60166f2bce

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal
                                  Filesize

                                  40KB

                                  MD5

                                  bc3a8aca7fa6351c2c1484db1b82f165

                                  SHA1

                                  ccc5ed7b2abb091a0d32e8691899842fd6313875

                                  SHA256

                                  785e07edefd4b6722adc4fa8b58c5a9b4d06708e93a080f13dd54633cd0177a1

                                  SHA512

                                  9a244823ca81250efddaf5860192b75da90fd6cd5ef740c73f1a202f6c7a2ad0562aaddffe01d0d435f7bc74f644c2b88c3c3c0f3395676425a398c7ead4b8cd

                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                  Filesize

                                  184KB

                                  MD5

                                  3018d1aad8385b734068dbad441e344e

                                  SHA1

                                  2a3925bc92ec843db64b6db2cd6fe18ccf084a86

                                  SHA256

                                  f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88

                                  SHA512

                                  7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

                                • C:\Users\Admin\Desktop\CheckpointFind.vsd
                                  Filesize

                                  552KB

                                  MD5

                                  2e595558361527240ecabc59bce9b060

                                  SHA1

                                  7dc73a34f7c45d29c03ba9099f68ad7afa0166bc

                                  SHA256

                                  21c4b0a1695c1b8e7adfafaff8e09ec18f3a59236eb387cd2e4f0893f8a05ab3

                                  SHA512

                                  6e970b91532ed72f756ddc15c4f6c7fc0e9b48e36a0d0c058d25fe2e54151de066fd5e0a1cdb946b4b12966cc2eaa96439d006fb291403dcf47c0f946ad15a88

                                • C:\Users\Admin\Desktop\CopyOptimize.css
                                  Filesize

                                  228KB

                                  MD5

                                  f7586966d0a73f60c6de70cab89aebaa

                                  SHA1

                                  e3801be9df83d3dd8eca8b6bbb63d96cd2168046

                                  SHA256

                                  5ed9d0f307ba2e3efc709f1abc74240b4437696c702ee96d5f996d32afb8b7e2

                                  SHA512

                                  7dc96f446fd9b774a9f907787920371f7b232636dd506469005c1bc2d92f48500fa13d2e8919c033ea018d14e73ee014e6bce8103079ca8442d58179b6eae074

                                • C:\Users\Admin\Desktop\DebugRepair.WTV
                                  Filesize

                                  418KB

                                  MD5

                                  846818ae4243350f63a8339f5ff77a72

                                  SHA1

                                  6e92117ffb6c2bb6330bcf336c35133c35f46fbb

                                  SHA256

                                  64d85d31db23ce47cdea5e9f4ff573daee11382a231c55cea43f35a5b2340d54

                                  SHA512

                                  974b4ab3944510b8cc09b464120d004b6ae2e9c5991f59d097f61090e9f19cfade91fe01da0f037d1570d8f1c04c3ed6dcfc29445b6ebeedc6ca4802ee5798cb

                                • C:\Users\Admin\Desktop\DisableAssert.midi
                                  Filesize

                                  361KB

                                  MD5

                                  75b949d648f1f07fbf8a7cd680027ba5

                                  SHA1

                                  c86a3ce1ea6738f78cecbbc2fa09c80d20ca6b2b

                                  SHA256

                                  8f37b2b8acde799811fc96dbd374e6975fbf9ac8dc0b8c2e44b5d5b580222a02

                                  SHA512

                                  60adabb6e14049d866f0f8d4805b409fe8e78cece56640ea17c02836a98d0ed1e8646f7a01230cd114bec95647d3b0e803afaf0be552ce54e27f8561bb9c905f

                                • C:\Users\Admin\Desktop\EnableFind.mhtml
                                  Filesize

                                  571KB

                                  MD5

                                  a801329739f5164b4beaf1a73b016a60

                                  SHA1

                                  fea3451cd1811f474de730505a765ebf1178b60a

                                  SHA256

                                  5ccebc72b58194eda04c58b2ce67461fa7e20c696d857a1cad581711c87ef60c

                                  SHA512

                                  7b5cf75e0e0dbfac5c18cbff2458da45c039eaef610407befe68a5405676f8f7d75f6c56d86edad5f694cc4abedbbe51d8db91af552cc136a636a26ae2b9ffa4

                                • C:\Users\Admin\Desktop\EnableSelect.kix
                                  Filesize

                                  342KB

                                  MD5

                                  c4a63dd6610867f85de77d82fc2c0a49

                                  SHA1

                                  892ca5708a93de8bba70d0c98610afcb43c4cdac

                                  SHA256

                                  65a243d3b20f5ee3c30a48b676bc7acde15ed4b70245c0932605f5d981f7ca2c

                                  SHA512

                                  0e93a576a4d6aa01ed87e1d8b91cdf537941779e53a3d0302432ca91b87e8a92763f3fc9392f537c44e1017fbe032d1829f64c1b9c6ec76f9ec93ca5ec2b3716

                                • C:\Users\Admin\Desktop\ExitConvertFrom.zip
                                  Filesize

                                  304KB

                                  MD5

                                  175e9c921eb077206b7b2aaae535adc4

                                  SHA1

                                  2250d53d896d42b445e175f5a3ef7e3df937438b

                                  SHA256

                                  169f26aadcc0626e511dfb5c33b148b0e7f2fc858d0298309962c27af8669438

                                  SHA512

                                  ae1a8ce4c422592ff37a2908b68adac31efa6fce0c7e04edcb408701633db12558521883d197af63dd40c9df1f7f6ebc4c167d5c30998c38c76d191bacb53ef3

                                • C:\Users\Admin\Desktop\ExitDebug.mpeg2
                                  Filesize

                                  495KB

                                  MD5

                                  3647160f89e01681aed2fd9906535c51

                                  SHA1

                                  46b0775677ec195941f2371ced327cd2721654be

                                  SHA256

                                  a5feb1a9c8b722e56e5b41353ec7dc7652d8ee15074df49bc531b59bbfa27555

                                  SHA512

                                  32f2ce9ff59833ca67ba11ea72d221a062e47903b7f4d973187cfa58d9b3541ee7526dd15abd70220425ea9542bb36cffff3fe20e8a5ca9e67ee7c6017c4941b

                                • C:\Users\Admin\Desktop\FindConfirm.vst
                                  Filesize

                                  247KB

                                  MD5

                                  4f96c120426ba4efb2fd73f6574e0ded

                                  SHA1

                                  ffedb793ebef8430d8534c6234ca5dd413d8f86a

                                  SHA256

                                  857180bf69a23a510620d2802b454d1aad692e241fd54b0f7a7c02ba8fa1ae5d

                                  SHA512

                                  c19e427ed7e25f381b780300f8839a51f2ab5f9127dae2b9260d818a61b63c82d59b2f72f3a4d42aefdee7ae8ce0c631fd310f2fcc7785e53f0210351d30d13b

                                • C:\Users\Admin\Desktop\GroupRestart.WTV
                                  Filesize

                                  323KB

                                  MD5

                                  4cf0fb081685764817d1ae513f40b800

                                  SHA1

                                  03dd764196538139ef753ed5f81af161a161a315

                                  SHA256

                                  97aa4e123d5e68112fd10427b1cf93633f22bb32a6b9c28a9fec25cc273cfe0b

                                  SHA512

                                  04154d92a870dd698a147077bbfeee48a695f03c91358b69b3e040fbf268df8b77bd8e267a919ecd8bddafe32b95708a9f2abd21b290f58067f9f0056d18469d

                                • C:\Users\Admin\Desktop\InstallDisconnect.ico
                                  Filesize

                                  399KB

                                  MD5

                                  4c2c7ef348b3fc5190fb27a026aff4ec

                                  SHA1

                                  98a99bc4fe1f064b8f451db9304fc0162b2787eb

                                  SHA256

                                  f2d847d544b6b23012fe6c45f01c0b92b7deb2c72b5880a6291d58d188c586eb

                                  SHA512

                                  d507beb5b6c150ff9b8b08cc346ba0394c7382aacd22ad7e5ebf24f0635d7539106a14e62821639876c18ba379e8d466bb3ddec599714fd58a0a209fc020074f

                                • C:\Users\Admin\Desktop\NewInstall.asf
                                  Filesize

                                  437KB

                                  MD5

                                  6aeb6338ae381491c13348d5be57e53a

                                  SHA1

                                  89f11fb38db5009bd236aaef15f605ed4d2f49d9

                                  SHA256

                                  b8d7f643a841ff163571f749afaf163d5d1b393771923a3fbc8685c608014788

                                  SHA512

                                  d02c684db7d01b24cb6872906469406b7746c3c38bd0959a2b5f594222df9ba7400e3da0b66658155b186cf2c10092983ab331f6ba10615d241b68dc3068cb05

                                • C:\Users\Admin\Desktop\ResizeEnter.bmp
                                  Filesize

                                  533KB

                                  MD5

                                  f32bd09c92d971eb952a60e8a02eb9d3

                                  SHA1

                                  6a09fc5c002298b2b0b287294ed37f53c4415d16

                                  SHA256

                                  6d9269aeb5d551008bdf2c74546d92b9749378efd9cdc44206a97825eb6fd497

                                  SHA512

                                  466a89851b6404cbce72d2a490efc0e7888ee5585e99ccb970759030d5219681fd6e05ae06a78e4815156690675433a5b459ca4a3f8077c9c13a381ca1af10ed

                                • C:\Users\Admin\Desktop\ResizeUndo.temp
                                  Filesize

                                  380KB

                                  MD5

                                  8c4a9bb4b17f6d8eca8b4f4c3aefa03d

                                  SHA1

                                  5e9f1fa2bea4e17a745fcdbbf346319142b1497f

                                  SHA256

                                  14ffad2a6d867fa5f978a44d3f871992066b34b2fe3f437ae8987d3e24068119

                                  SHA512

                                  05698b91a1784c1df4eddafa44a467221be9266b38ed25823448cd75c99b676d40c2b41a1038a9cbe816fc34bc4f966337d6a2fd2e71f4bc6b08ec9d701f120c

                                • C:\Users\Admin\Desktop\ResumeLimit.exe
                                  Filesize

                                  514KB

                                  MD5

                                  f2f76be946a631710ea2a201593f79c3

                                  SHA1

                                  d2e8685b9a474a976f4422cb77c0f59977e8caac

                                  SHA256

                                  404682f8ac9eeecf7a82a7b2b25791e86c9b2387c346976d8320e67b6d1940e0

                                  SHA512

                                  d697c9ecc3767b1d7004aa5383055e8580196f0e7d5bb92c790b52dd244e80de66ce251abccb09d625d797b83e8989381c9dac0cae9cdd7c8d7f24881454302d

                                • C:\Users\Admin\Desktop\SelectUndo.kix
                                  Filesize

                                  266KB

                                  MD5

                                  4341403840546f70b64c3574debca10e

                                  SHA1

                                  45dcd506e097fc1bc3ed2d939d0b1920db1364d5

                                  SHA256

                                  22026de915aed71f9d2dd69fbecb68c778a0b3c5d58d093d06c2e45239909994

                                  SHA512

                                  6b9b6fdaf3d480a36175148e0d5f816bf92fccf47e3ff6fd8f83955aad216a634be275926ee86c5ee6d78a26c99c4b3c187dd783550e31c75e72536e4e640943

                                • C:\Users\Admin\Desktop\ShowRead.css
                                  Filesize

                                  456KB

                                  MD5

                                  c7811acc035bfe9850c3552a3f4ce23e

                                  SHA1

                                  d464d0960eb6c35efd9a4d79b3d98ba25c52d6bc

                                  SHA256

                                  c2745a2a3552ca7e1bc390a895e87304b9386ebbd96956d18d68fae45542ceab

                                  SHA512

                                  92546c9830bfa51a5d9088d50f0e4519df16f237f18469035bc642e60a4ae72d1157e38efd4b9df3f1c4853c2a96941e0ecbd754e1e4786024978e0e6ce7c8c0

                                • C:\Users\Admin\Desktop\StepConvert.wpl
                                  Filesize

                                  818KB

                                  MD5

                                  9021b03cc7327fb57fd55a4e672c9c44

                                  SHA1

                                  e7f42aac023051592be0cd7c9af4cace1d0ec354

                                  SHA256

                                  2f6d625f52bbb8e062e5e2c0afb611dbd4f1d443b39ff3216130ecec65533f10

                                  SHA512

                                  acaddcbe9299f6be917e65b24d4013f9abf7d3299b40c7c5dc6ea96edefd042ec876de55562c3f41e69f4d21814c82ee2d70020bd58cde393116dc6ab57e9b00

                                • C:\Users\Admin\Desktop\TestSelect.ram
                                  Filesize

                                  285KB

                                  MD5

                                  1a400cade36460a5cc62f56eec131ada

                                  SHA1

                                  f93228bfeb01141284aebc125acfe41ef8a050f5

                                  SHA256

                                  d3f9d9784912eb389b652372fc8a5b35ee3268164466b7ba6560a094e073208d

                                  SHA512

                                  8d66d0baaf6a13d3e2990ff92dc0304ca5265a6e28ec02edff9217b8946ac29c6d8c226b37bdc1f36bf37331f3fd71eea7af8d96475a8b3cdf56e89b42e7dfb3

                                • C:\Users\Admin\Desktop\UndoTest.xls
                                  Filesize

                                  590KB

                                  MD5

                                  6c06ec0839f54841d3d0fcb21138a62a

                                  SHA1

                                  0976d1c84b8b1944e2ecae56c80b503b1a1f7c58

                                  SHA256

                                  a549ab1f3620572e2796b7260c0367efb2e0a29c0630cefd1992dc18714284b8

                                  SHA512

                                  f7fbd84b35e6f59cd02e0477f2e1297e735ba399ac71a233186270703281e68319b845f13ddfc499d7448a90ebfc576734622d9a2c74f1e0d6159c0b84fc51d5

                                • C:\Users\Admin\Desktop\UninstallOptimize.search-ms
                                  Filesize

                                  209KB

                                  MD5

                                  ec684e028a01eb0e803489da0a866457

                                  SHA1

                                  c202f908a6e16ead026fd1cb1314447d69b27fe7

                                  SHA256

                                  92e06ec88df5e8842e19993ee5dc0620c40e6502e5ac1a32f860b01756061211

                                  SHA512

                                  140a69b0a82ad6a7cb8d5cfbedfc3a4c3421b3aa4fd0240822115140b2db607e2197cf86ed7e54278714b1a35e553951bb7cff5183735f1c7469a73ddd99d3dd

                                • C:\Users\Admin\Desktop\UnprotectMeasure.avi
                                  Filesize

                                  476KB

                                  MD5

                                  80eda092b60bf30f3080e0fcafa84f8c

                                  SHA1

                                  2f24a10e3963f4a7229a034db7d80c7c19735475

                                  SHA256

                                  53769fa13c3161e84f01fbfea2480c46506e23e0cbca3505f48e2dd9057d1ce5

                                  SHA512

                                  ca61fe0dc8650c354bf4ed3ac8eecbe94245a20fd934054d1054f45a823e1084ef03ad64f685645131d230c4ac6db02dc6429f8d407f2caebc27ea945d140e0d

                                • C:\Users\Public\Desktop\Acrobat Reader DC.lnk
                                  Filesize

                                  2KB

                                  MD5

                                  38e83dddf1c2efa3f4e42d486ebd1c03

                                  SHA1

                                  9cc77e42c2a72556e5d1f6d44bb9f56773d8f030

                                  SHA256

                                  fbda9fc0d5d4ca691735b590da38f0e6f1d441698bc5e0e539a45c0df4153b4f

                                  SHA512

                                  aa84300db92ca3ea7608b6b5b1deaf9ba34af9720998656773c8314470c9dae22622375f1e8c76d12fe10754d98c0310b257aeb88ea8b666ce28176ae727fe89

                                • C:\Users\Public\Desktop\Firefox.lnk
                                  Filesize

                                  1000B

                                  MD5

                                  2eaed728d783be1daed7a070467bdf0b

                                  SHA1

                                  8b8111966966fc92271af429997d978c84e839e7

                                  SHA256

                                  9f637c5801f974a88f72cc8190002746b1136dc564f6e6082c4baaf72518ffb1

                                  SHA512

                                  13d12228abb8425393cc55b5e7eabc3823bb030adf6cf18b03a6d4d85e556d21ef5bdf6a390044f57c1254343d9d80adc679f12432deb7b23b79fdc4a5948c24

                                • C:\Users\Public\Desktop\Google Chrome.lnk
                                  Filesize

                                  2KB

                                  MD5

                                  e36f3abf1b4fe80fc5c8966c916297ae

                                  SHA1

                                  df490de100de3fb8630f55fdb55c1030c4a084f0

                                  SHA256

                                  74fb6e084786e71f505aa28a9ecc25086eea396cf18ec2f049f8380e41ff55b2

                                  SHA512

                                  9888ed46a5ca3604f65e9c4fb3d90f98c01e151ddccc3774a4a4f47ea03147b5e14f4752a98842d83cae3135e23d82faebd5b88ccd51bc4441268274c34c6be0

                                • C:\Users\Public\Desktop\VLC media player.lnk
                                  Filesize

                                  923B

                                  MD5

                                  eb3ad8641e3385134298c82297774712

                                  SHA1

                                  d6e1bd8d2646de3a13c0444116dac37e8c28f3a5

                                  SHA256

                                  54f420f24220ff1225260bb3b71f044f34a46af821515295b487e78fdb7485ac

                                  SHA512

                                  02fc4e7f66bf22cf05d6231dc95af211097e188b989a118e3142e127b4a35a8da5b903371f68660d67f6f59179e6542143277cd3f8e05bf1752a6831d6d0296a

                                • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
                                  Filesize

                                  157B

                                  MD5

                                  c8f8a078dace2ff4cb106803c9199643

                                  SHA1

                                  a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

                                  SHA256

                                  1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

                                  SHA512

                                  efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

                                • C:\portagentbrowserweb\Containerruntime.exe
                                  Filesize

                                  1.2MB

                                  MD5

                                  5887a563351ca99247b7e2c448bd9f2e

                                  SHA1

                                  b24695e88143863297535989900bb7521ea86d67

                                  SHA256

                                  e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

                                  SHA512

                                  b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

                                • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
                                  Filesize

                                  220B

                                  MD5

                                  61a07f2f9e8e9b1f5175b2d60c3e3f18

                                  SHA1

                                  e695b0c2b43c786453bf3f6ae504f0626951d281

                                  SHA256

                                  5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

                                  SHA512

                                  8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

                                • memory/204-31-0x0000000000420000-0x0000000000552000-memory.dmp
                                  Filesize

                                  1.2MB

                                • memory/204-32-0x0000000002730000-0x000000000274C000-memory.dmp
                                  Filesize

                                  112KB

                                • memory/204-34-0x000000001B670000-0x000000001B686000-memory.dmp
                                  Filesize

                                  88KB

                                • memory/204-33-0x000000001B6C0000-0x000000001B710000-memory.dmp
                                  Filesize

                                  320KB

                                • memory/204-35-0x0000000002710000-0x000000000271C000-memory.dmp
                                  Filesize

                                  48KB