44caliber | hxxps://download[.]oxy[.]st/d/gsUh/2/08f447eb6d227943a20c83089325f8e2

Analysis

max time kernel
375s
max time network
383s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.oxy.st/d/gsUh/2/08f447eb6d227943a20c83089325f8e2

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1250466807987572878/2s356N2ZDLYW7dWoAtj5Qd-O5vz4lzccfmJMAUbgo5m24fFJ8yVB5CEZcitniXRiRtZB

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NursultanCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NursultanCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NursultanCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NursultanCrack.exe

Executes dropped EXE 8 IoCs

pid	Process
4904	NursultanCrack.exe
3168	Nursultan alpha.exe
7080	NursultanCrack.exe
2244	Nursultan alpha.exe
6720	NursultanCrack.exe
3832	Nursultan alpha.exe
3800	NursultanCrack.exe
1600	Nursultan alpha.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
442	freegeoip.app
443	freegeoip.app
463	freegeoip.app
501	freegeoip.app
505	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{35B4AAD8-17FB-4D97-B1EA-2DD55AF5ABBF}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A497B34D-B96B-4CBD-87D8-7FE4C4047910}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\NursultanCrack.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5652	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
3168	Nursultan alpha.exe
3168	Nursultan alpha.exe
3168	Nursultan alpha.exe
3168	Nursultan alpha.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
2244	Nursultan alpha.exe
2244	Nursultan alpha.exe
2244	Nursultan alpha.exe
2244	Nursultan alpha.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
3832	Nursultan alpha.exe
3832	Nursultan alpha.exe
3832	Nursultan alpha.exe
3832	Nursultan alpha.exe
1600	Nursultan alpha.exe
1600	Nursultan alpha.exe
1600	Nursultan alpha.exe
1600	Nursultan alpha.exe
7144	msedge.exe
7144	msedge.exe
2428	msedge.exe
2428	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	1568	taskmgr.exe
Token: SeSystemProfilePrivilege	1568	taskmgr.exe
Token: SeCreateGlobalPrivilege	1568	taskmgr.exe
Token: 33	1568	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1568	taskmgr.exe
Token: SeDebugPrivilege	3168	Nursultan alpha.exe
Token: SeDebugPrivilege	6608	taskmgr.exe
Token: SeSystemProfilePrivilege	6608	taskmgr.exe
Token: SeCreateGlobalPrivilege	6608	taskmgr.exe
Token: SeDebugPrivilege	2244	Nursultan alpha.exe
Token: 33	6608	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6608	taskmgr.exe
Token: SeDebugPrivilege	3832	Nursultan alpha.exe
Token: SeDebugPrivilege	1600	Nursultan alpha.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
1568	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe
6608	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 2172 wrote to memory of 3520	2172	firefox.exe	91
PID 3520 wrote to memory of 2368	3520	firefox.exe	93
PID 3520 wrote to memory of 2368	3520	firefox.exe	93
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 2448	3520	firefox.exe	94
PID 3520 wrote to memory of 4996	3520	firefox.exe	95
PID 3520 wrote to memory of 4996	3520	firefox.exe	95
PID 3520 wrote to memory of 4996	3520	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://download.oxy.st/d/gsUh/2/08f447eb6d227943a20c83089325f8e2"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://download.oxy.st/d/gsUh/2/08f447eb6d227943a20c83089325f8e2
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.0.1367579934\1567898965" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fa33665-f01f-47e6-a044-1312baca0242} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 1960 2087e0dc158 gpu
    3⤵
    PID:2368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.1.1255234093\1414716227" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89b88829-2662-41c3-946b-4987cbf15732} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 2384 2087dfef558 socket
    3⤵
    - Checks processor information in registry
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.2.309102216\1415034306" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3140 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a5ef624-2233-4876-9238-60541753b63a} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3156 20809fd4f58 tab
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.3.2042765272\1821244929" -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c8f9744-0bfa-4834-a44b-6144a9ed4fd6} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3988 2080b335658 tab
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.4.609860717\1087775455" -childID 3 -isForBrowser -prefsHandle 4872 -prefMapHandle 4892 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8ab45a1-2f44-42e0-b0cd-53294fd2430a} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 4952 2080bb18458 tab
    3⤵
    PID:3312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.5.1479962151\354085572" -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db909126-c249-45fb-9679-c4acb82457e3} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 4972 2080ce26658 tab
    3⤵
    PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.6.1934684822\161046116" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38db15fe-e746-4673-bbc3-bd0d4c109e7b} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 5280 2080ce24e58 tab
    3⤵
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.7.1798650552\1730499050" -childID 6 -isForBrowser -prefsHandle 5944 -prefMapHandle 5868 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c469af0-91e6-47d7-aad3-1639725fd528} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 5916 2080a0ee058 tab
    3⤵
    PID:5136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.8.1826001083\607499260" -childID 7 -isForBrowser -prefsHandle 6088 -prefMapHandle 6056 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e76e9c2c-09aa-41ec-ae13-09158949d40f} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 6068 2080c59f258 tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.9.39772382\866648100" -childID 8 -isForBrowser -prefsHandle 9860 -prefMapHandle 9836 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {098c1647-f4d9-4de0-b228-e328ad67916c} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 9880 2080decc558 tab
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.10.876091123\1847671134" -childID 9 -isForBrowser -prefsHandle 5360 -prefMapHandle 5284 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33251710-c2e6-492d-9ee9-cdd83cabacc4} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 5244 2080d837b58 tab
    3⤵
    PID:5212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.11.726053069\1299295425" -childID 10 -isForBrowser -prefsHandle 5424 -prefMapHandle 5408 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b3bd25a-78bb-42f2-8bef-3f64d3f57029} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 5436 2080d969658 tab
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.12.1898945719\629694911" -childID 11 -isForBrowser -prefsHandle 5368 -prefMapHandle 5396 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee093c11-4944-455b-9cd8-3a9696788c73} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 5360 2080da38858 tab
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.13.1590962392\1927046332" -childID 12 -isForBrowser -prefsHandle 5956 -prefMapHandle 5112 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df916cd1-4aae-436c-87e9-25d0fbd6ce84} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 6028 2080d0b1258 tab
    3⤵
    PID:5172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.14.1900864972\1751018493" -childID 13 -isForBrowser -prefsHandle 4884 -prefMapHandle 5964 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e40b6fd-1c23-4f2e-bd37-fa0abc45c182} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 4648 20809f48658 tab
    3⤵
    PID:5388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.15.1635459952\1071940801" -childID 14 -isForBrowser -prefsHandle 5168 -prefMapHandle 9748 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68359910-c25a-416f-bc83-60b6187f3675} 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 4964 20809f72458 tab
    3⤵
    PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Users\Admin\Downloads\NursultanCrack.exe
"C:\Users\Admin\Downloads\NursultanCrack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4536 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5372 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5004 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5752 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5940 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:1764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5768 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5764 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5772 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6028 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=5940 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5684 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6084 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6220 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:6460

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6160 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:6776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:6864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6088 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=5392 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
1⤵
PID:6960

C:\Users\Admin\Downloads\NursultanCrack.exe
"C:\Users\Admin\Downloads\NursultanCrack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:7080
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5624 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:6908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:7144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffe83262e98,0x7ffe83262ea4,0x7ffe83262eb0
  2⤵
  PID:6216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2212 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:6404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2320 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2440 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4592 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4632 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4640 --field-trial-handle=2224,i,3365513792137145220,7665317921650383443,262144 --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428

C:\Users\Admin\Downloads\NursultanCrack.exe
"C:\Users\Admin\Downloads\NursultanCrack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6720
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tmp239E.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5652

C:\Users\Admin\Downloads\NursultanCrack.exe
"C:\Users\Admin\Downloads\NursultanCrack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3800
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Cookies_Firefox(63).txt

Filesize
1KB

MD5
3825c8d7b94a810274e5223d58e7d149

SHA1
b8db0334df329bb9e32fb05944f4e8e85b53337a

SHA256
ccfb42396d8c9af955ced4e715133e703aa6d9396eeefee3ed93d2a05bfb75a3

SHA512
8cb131b6c03a1e6c1f9da5b476b65fddf30109bcb1422337fd4b6652e95417aceb33044d2991558660c9e1860d3a6c71e177e9be07d7e5ab111b86eb4f1c992f

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Cookies_Firefox(13).txt

Filesize
503B

MD5
ed92db19caddb9639d0659ccdb0917c1

SHA1
85feb337bce462144d0db697daebeb718d5d0dc8

SHA256
f8877070abd782e805e026acccd710696eb82968342d476f4bf4fce73a389f86

SHA512
0c6e6fa51b48baf2b08ebfa68796f8425ebf3fbf8f34b5bb05a1b250dd4557829e13a7c6e5b0ff0d546963a334dacf1bf6b868f04c2db6f42367f02129ddced2

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d23b3493b593edcb0b6ed882c990bd03

SHA1
188271aee418425d0800b690e6f2789ec20effd4

SHA256
ab40836f8b11f28b7fff1497c9d4e1521557957fc17d9838fd8e1deedb8c253d

SHA512
2dc37bbb44a5d8dadfd82412ed14164f93f02863b41bd79a4f961fc28d571ae69eba217cef15bc2d0310c7cc4fadf9addeaf7718ed6f5c43e8a8d4f34cf16f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
4797a1ec8bdd9fdd87a831ceb132aaa7

SHA1
3fa5f14756531228d3f542774da7cb05795ddbb4

SHA256
011eead8ab54cdbcab93e3adf2341616f7ff8ecdf87eb09a636922db6d085f89

SHA512
7d393beb1faec5482ccf1f2a467ad1ef42155ba2eecaecd9faecc3423afe7d692eb34839c405b8023ae5b0b4db7fbcca1142cd3114297d6503e6475a11eb9a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
ac64d492bcba0c686f8deb87be7cca82

SHA1
8705c5adcdc5b9e47b62ac561444c1cf31a30859

SHA256
d1c4a56082fa0c86942aaa0ce0e2544594ebfddde45820d6f51bc262b34175e3

SHA512
ae8e7752fd370f72b7de2772653cc98e8bc5cf227c33f902d03a72a616b3f929974093840fc395065ec054998f46d3de662f547b325faa7e556c4dc4698669df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
81KB

MD5
dd45ee8306f0a04e6ffbb4983dc6e24b

SHA1
921f06e5606c721618514346354e9bd6090afbeb

SHA256
eeb26823add146d7069de56fabf155f04120b25dc8658c84bfb863708ae71071

SHA512
bb708d7774b842a1a16b74ddb300d115320f40256ca4c4d923e1717d6194fed1d069c80798ab6b079796e8ce9c44132a17e2289dd15d6b16edcbb0e26da933c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
81KB

MD5
1e8eed376eb98e7ae1122309777aa328

SHA1
4d5ab5d3bd689b5ec79252ddf27f7e467eb64ec5

SHA256
b2ff0a56e6c123302a7daa7957940417136b4bb354186eb78470a571d0a1ab09

SHA512
d8273f0c90acc17b25bd28cf466dac6e3c325b761a0c57784dfb274eb8a3b03bdaa5d1c11d1a131cd72133bf8c05cbca7140c58f7654394304d4e32743eac254

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\1534

Filesize
23KB

MD5
8af7920bc56a0e6c1195f29cf57c2c45

SHA1
1640c1c3454e80404e14e2355e6b7badf9e7de5b

SHA256
5d07c26e6fd2331ca49ddf329ea86b59d1f044cbc201c2a038e9488b27c072f9

SHA512
b65a30a035d87502f1d518be5fd4c5dca576b17ce10ca0c84542b904e82464d51aaeb09933e5e9ad34cdc5ef43f5fb1d264e1b2a73ec73a50c9a0c85a933b1d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\15668

Filesize
17KB

MD5
41c818abda772bd7022713320c3d3a5e

SHA1
cd4c20656a0b51fb2e3e6d349ed158eb7a0914d6

SHA256
be910582ee5eed9a8e00c52b0dfdba3abaaaf816df143f94c385e7734da48e74

SHA512
290ef36587c94f78ff85b172c09e1cac599487ac17c712d232050cde52865587a1c1635d81034019470b0d7c3711a6834b682e6dd891b0d67dcc9a2051941213

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\22203

Filesize
8KB

MD5
028a5deb557054e93264029a0893c963

SHA1
c63e121d19bb81d0393f9dd179ff04e03755d55b

SHA256
37e2499d3158b04386cf72c10d760318a5d2bdaa06398fac1a5e294254057782

SHA512
a1baedcf3e12f5c09757c0ce4f5040dcb8b3540b5c6ccd72fbfb061316252367f4cd91206ffa112ddb2eef5f6d9a44bdc3c2b14bef947fff5ad11dce016bb85a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\28788

Filesize
9KB

MD5
a54175f5b30b66001dafc0424e7ab3b7

SHA1
7bac26dde064d60d0deefc6564bb77655818c60d

SHA256
19740fcca7a810a31a70b4209c0029785640a55df2c951fe65c3a8c54db6609c

SHA512
6bf07dbbe16905ec7a3091a5109cbf91ceb490a97bf7e97e6f068c3b14dc59825ae2a29c0d3dda9ba7a2e393d2598fef3725e03f626ab68498aa6a10d0276381

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\doomed\30039

Filesize
41KB

MD5
8b709cadc85612de40eebf98763bf561

SHA1
b9b6dd9b3d83763a9903ea75524b5c3828c2ab67

SHA256
c8a2e1d3f0a4f24b4fbc422c9041ca5077984737f335561db332773c210a334f

SHA512
bb0092bbfc1d4dfad8182aca484492181e96db08474922ab2a01f859733c8baf34aed1d15fa6f978b01565fe47b9fdc5e9ff82c1fee19730aaeb1d48349f5739

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\7C3011E186E64FFFA59029CF876BCC19626D5F8B

Filesize
212KB

MD5
64515cae7ff0004e21647efa18f7754f

SHA1
a5e87d76e79690f796de89cdd3b2f719023112a7

SHA256
9c73f5d45c62cad77ea820b73623e754ff4f97a97ce56724e543b7ffa8f7b4af

SHA512
c8d678d34d18d6f18805aebd207385a12fce5dc52b2178e686fc3ffc8aa9d26ed641e88860ab384bb419638ea844a230571789f92c93a691de6257f013c9f061

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nursultan alpha.exe

Filesize
303KB

MD5
9cdfaf49787c74eb13ab7761eabe56ba

SHA1
789adebf4fcd62b4522d0e3a7f5ce2d53bc2f5d4

SHA256
060fe8ac7451f1f3ffe6414820aa59e302567d6b39018c3577344b0c936f8724

SHA512
19066b61ba0104579a4bed6bdf3d3642db1733734d2b1d0c582a4530cd51603bc7d3ffa0ce7700e7bd1c9cb3d00f8da75de2c6f659a8d71ca886f6bb3f97fb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23BE.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23E1.tmp.dat

Filesize
56KB

MD5
d444c807029c83b8a892ac0c4971f955

SHA1
fa58ce7588513519dc8fed939b26b05dc25e53b5

SHA256
8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259

SHA512
b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDEE.tmp.dat

Filesize
92KB

MD5
4c2e2189b87f507edc2e72d7d55583a0

SHA1
1f06e340f76d41ea0d1e8560acd380a901b2a5bd

SHA256
99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca

SHA512
8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE21.tmp.dat

Filesize
220KB

MD5
c9bc721563ea14414e7d2498c960ac98

SHA1
f11de38dc10df3beb8b90998d2d1f1125dd8f6d0

SHA256
785d665696a0f1de32a0e7a715a1a52e443f2afcc10871b083774400ebb8da3d

SHA512
1f69872fb4f22ae29deff86be617194ce13fb8e1de417d6524b4b16385ce73a4e98cdad925d579f8c756376ed3fe55891f6bdc6c7800d280954d45c5902c8b31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\cookies.sqlite

Filesize
512KB

MD5
b30f340c53ec9fe1f614d790cb142788

SHA1
01f444653220f0c958eb42d19c168d72518ec8ce

SHA256
757e512b5e49c164803e5c392c5958f00b3302122bf40d8e19be6df490687875

SHA512
385cac0fe681ba5b0e290206b23a8aa712094b559d92fc891c3602e3a5bd35f1a188dec7d31c92745110b33d20cff23a0a836130a14c6b20a72eca01e020f15e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
7449ac08c865b7b9da34b5a330164e73

SHA1
b9ea6057b5ffba6c53a037a391c40f84a538cbdc

SHA256
a59281a23ce2c30ceb827814086a40c45c386a85f82ad099603a2c74f77bb820

SHA512
b86502a7c598c889a940b74ec1ab0a53eefb0f1eeb29c6c08feca9d1753e17705787b6276b4fac9cc68eaf6e161fb4be1c906a4b0334d3cb6c384a6724915515

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\091f33b3-aceb-4576-bcc5-19ff7eadcc3a

Filesize
10KB

MD5
0b8bbbb596ed1c5a892d428a6b108e43

SHA1
217c55ebcaf34187cd06dbd8c676bee0d4568307

SHA256
f5f22b6bcf923532a140e6f1e830748ca897a2c37b1d8e0c3acfe6213d9e22f1

SHA512
89ea81fe7b53c0a1135cd7ea22a2ee2ee9fcc8e05ab02d502cd9f8512a182031921156b0905629da2156c71bf16ecd18af135eecfa7377b964da2561de38b61b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\d52136eb-8be5-4c0e-9883-603debaa3d55

Filesize
746B

MD5
89b35f98ffafb81a82006269b0e262d2

SHA1
67bbe64c93a00d663bd0ae6d8964a410b19e37a5

SHA256
0a15a6fafe8114b7b0a787e0bc9bc578737283ef04141cb1fc7dac8bff50ba7f

SHA512
a910265467124237eea338c5c4eb1c3c8c2a126f0989bd6912027cc3bc1fc3fc2a1be6c7c8d6bf066de3423f0265786ac80714804f3f6cead80888a5fbad21ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\places.sqlite

Filesize
5.0MB

MD5
1b76a14050c702c895b51ecdbbec0da4

SHA1
4e197ba438dfeb341b69ccfea53f4f62c9c2ab91

SHA256
9a7f0633c5df10404dc341c92cedc92ca57d87e84313e31495f740af3539365c

SHA512
bb898f3afa93ac547d2a06cfc0bbcfe99de38da9af37bcfc91f7fcc0473dbed13adfc456d4c17801edccb7ab239b58326996d2d01bdda4df3ed5be5cd760463c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
8f2c696ced646c35e479c5e9549b92ae

SHA1
480fc1fa5d2e4d9f288470947927570334d17878

SHA256
b630477e0a3991ab062e3b94884698d8e78df31dec62bf543aab81e782bcd433

SHA512
9788ca15289cb08674e5766541cb8cbddc2c30ff9fa0bc6b383a80d2ec73664bd8ab945b30e756a34924e73d4265238126523cc140a6b84e5b92c55e4dd0edee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
8d7ae3c5bf96d5d0dac61033ee7691b5

SHA1
6d10d41ce4a0032762d197d7c65055c2fb0c67af

SHA256
75f13e77cf2bff2611741cc948373d296f7eca6feea72f5802ca6a6451b445c4

SHA512
be94544baae5b535bd8c6d3e9e09eb7e97ffb1df7e9f60a3eb4ecdf861ed6eedaa97cf5272805a4692955e2f612fadcd5fe3c297c3e0c0a02a22f93075ca92f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
394ac731659dbd2034267be00656c6ad

SHA1
e78a899a426b3d939058037baf2aa9a0ef250879

SHA256
09cc06ed9c50dbc0f74b55c2742554da6ba86a314998ec5c886a3993013b32a2

SHA512
d93b5947209342c562e32e3f4bf387ba2aaeb055f0f1bd1d1d865a94669d5e7bca273b12a7f14fad48ccbc7bff22a6dcfa385fbf1bb53b72530a4f84879475f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
d3e9f1d0b87862a300e306043f681de5

SHA1
68cc041db17a714b1a1370fb32f406dff3f16e9f

SHA256
4ff1fbabbf6519754b4a567db74ed9fdee957c8b60b6297db43927f80b92144a

SHA512
6d6dc934709610d8443d69e0d232fb4d10c0985055e56a71d6bfb88d87c991f6e32fd3aee4523ecb3125ebdd3ac9df1e283632e2e43ee64f204d6d45a06664d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
de654349d20ab1cebf21870a3268c6d0

SHA1
94cd5b0086cd05e2a06f22d56d9e6b4495ccede6

SHA256
3b2fd7ffdfdbc96b3c48ff6ac195ff1af5b63c0fa08841ff2c7222d44aea4e61

SHA512
c9964ffaffa9c11301d04e0461e8d3f11b22a23bba9a2dc3d30155ef420be2dc4a6f498cf3542239dc6ff11f1b13773ff0d7e78969b01892de611ef7d9ee77f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
88db53b2a517683cb963ec6487ca54b8

SHA1
2f71f3ac192c8836c21d177a36f8afcc55ad3a5a

SHA256
7aba6c79433b8539d173a52d7f0b96730c06d5d262e362502a1266f3aa4c0dc1

SHA512
3bcf3a9920de7e08e5e712eb5aed6057209a560f914a0c32151a723e2ee6f51a6c68d0a388020e2c22f040cdba7ae43d1d1e17415d96b8f25cb220228665fb4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
24e65893bbae6ac65da8be40cc965905

SHA1
531c1f4e4296146c10e7f2ad2ba44f98856816c6

SHA256
982a80d925df426461bc90d84ab993aa1175f68dca7591b09b48a016b27f536c

SHA512
1f405f81cf80fb3bd9ad5029079dfce50c74d747465902c8bc10d625bd403552efd03be557e8acd5938295d31b4a758f67af07e7bb5063aec7c9a0177a863207

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
9d36318a3fdedde6b61dcd7d38b51bb4

SHA1
c4b258dffc9c5c22b9fde93359d2c0a3b3868a45

SHA256
0fc6c2b70932e9cc9046fb73c69726cc063f9c5a32f966a8a72250c5c0020835

SHA512
4c47a41021c15f51492d42a9ed669987f8db51200a61eb8f93b7baa8935ec8a65acff408eb1eed77df6fd9d36c4f4c56a715bd8f4a0004786f1ec35a8afa81e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
495fe654de7e9e0847e7df3294b4fbc2

SHA1
39461464a627c68af52724a2b712824e1d0b1b0d

SHA256
8ce10f60458b603a84edca3a4dfb363e77c4a7f1c90731be394f778746b16192

SHA512
447c889c2fd7c7f234730cd5188b8baa06bb2c170ae913e1c9eaf275df9ca0774b7f6516fa1e819b0b57d1ee7955f1bf2af926292b938bf0d4c9bb7ea2588ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
49aaee27104f00b21ec2fa427ad426d0

SHA1
2923d2ecfa0b964d6fbc55bdc0fb9d453cfef402

SHA256
1c7c9b4f4438534c95af67bbefba1b0bc7b1360f66477190f5471a313f48b991

SHA512
bfe56f19daf28c6db6bee166a3e28c579db7f2282e0a1e0cf57baf33a8381789a896359419061539e892a4c716fa9546c3f28f11e1fcb4fa44b73ce390993ed1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
a223b520325f6c39cf037300da314c7b

SHA1
ba30eab7bc033d9e5c86414a25d7c256247dece3

SHA256
86627114b1a9b7fab9619e29f2e0b9978f5ea96a6a88ed72fc1f4b63ec5976c1

SHA512
475b34a6a87bfa2a5e63d1617208600ac19eff3f2ed364d5741d3987327abfee81ff761851a02358c5ba5ba1bb5857a96d4992ac3c0471d288e0bf65c1f5540d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
15KB

MD5
aa84bc97ab0c2b9f84d78be9a30b5f6a

SHA1
0cd999ce4d5085d4d7a16806f610bd14b128172e

SHA256
38b0e52e2fb9a0ea7cfa5f39d83c7b8d479dcb7c6b924860a0094191e17e433c

SHA512
6e4d8cc6abd2a50d114711aed172573ac6e6c9b40391e4746800e5e03278d6e372cfdfe5cc517bdc72563fcb56999b88351a948903ec1446723934975e2b6692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
0db1e07d5c9144843d6ef63762da20ea

SHA1
97e85234ab3737e440bde282c7f510685c5059e5

SHA256
1007fef65b87319c71fd35e0930f273e4de80618a53aa1472c15802d1c848cdf

SHA512
002abbe088632e11e8517742dde5fdd1c50abea2daf5bccb8d40727ba681f7df5dcb98e8e24063fe3fd5d54d6cb1415e13e355e2a40c9986720ea8e5c0539c71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
46807d688a823ee9457fa61e6741d5cc

SHA1
bf15f2f012c8d1b377b4c25e8c271e326b1f068e

SHA256
a043cfaff1aa5bc847543652e329c36822f14b9b4e6761aa314432bb66fdb43f

SHA512
8eb1a0a68d6c55403df755d84d2934633aa25c421eef6cf0738dd067d881e28258122302468dcfccdb8f2b109c3ae989db6a249c3b9b3071ed43b4fe2f86ec32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
591893af2e428640a501bb7d87d60b3e

SHA1
b71871ebff27772f4da115a75f31a887e2569d88

SHA256
cd76d167e489146ee0c9838d139e40fc5e102bcc66b272637c35624e44a0a743

SHA512
cf8a338d1a737ec8077c5ee200438a8e50652c6eb59495469dc63edec76f43a0584b1297ea4a3144e7e95d326ccd9b913290d98a6db091688b29d9061ef1755d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
537113316feeae88b8d00b1b4cfa6212

SHA1
a8bc305f4b54367f7505bbe8d4469c6251ffd1a6

SHA256
017c360937fd2f23488b87db435c533c8e67054667dca1c219d3fa5ffd3d4bb9

SHA512
291c620e8741ee9ae4f4526c268408b23c3b5cf27673b25f40c6172be6630afbd09f4c769ee91539c9736d7977702412e09e3d7cf8eea43792e69cf02515c7ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
1c887dfa0437c35fb4555618b652a9e9

SHA1
a5aaca4ba130ff43ab5698f18e63efef426db5a4

SHA256
4ff7c46251d3ca771143b175ab0014858bdd848f9e8600ebd6f63576a8c39cba

SHA512
426e8ecc2e077906634880ebdc847cb1c146361a17f402d50783990ae8391685525fe17eca4cc1aed2f2756d3cc80fbfed13b10f999f31456a18d4fed7d0c410

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4

Filesize
16KB

MD5
6c1eccf216dfe37e26c79dbe28767c62

SHA1
7d92d13d9c2ea1a19a696150f9ffd41e17a2f7ef

SHA256
65ea622e9ea58bb752c3d073e67dcff8f31cf4d50ec49fa2550ce42f235d098f

SHA512
5a1d82a6d92fb1ec43e0446bfce9ff360478049c6c63fcd03c921da81c6fc9521173612caf2a90ddfa9333c822f58135b2e7f3e3b89aaec9d4532973ca4a1171

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++download.oxy.st\idb\556220133rrae_su.sqlite

Filesize
48KB

MD5
228a9e159db1380f70dcfa2d5d491d1b

SHA1
1424dea9f44d6099d72baf3e419a053030836f14

SHA256
020fb97e4b345ace698cd818f555aa78904aad322f0d9bf64b796578d106d744

SHA512
0b06ba5c4d584f948279b23b10bde54318892ac597adb826bdea20359d8fd599bd3bea27fee78475be5868fe3bf9ce45ae2621793bd8fda197e143d61dd3f6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
89fb414d778d11d3a12991de60301815

SHA1
1d7a63ca92d9ad28930ce2feaac8c71c3f699ef7

SHA256
935ba660008416f0b46a028a709944f11f9c2858243a2f7bc0b57aa1d96314be

SHA512
49f06dc78f2e08621ba4ed19925d8c7ed040502f13edaeedc7df3d675e77417d8b7b3c0b3feaf7f4fcef989091b363f5af1fa9258de57cee5bd904e1d7a31f9b

Download Submit
C:\Users\Admin\Desktop\CheckpointConvert.mhtml

Filesize
600KB

MD5
aee6fea7bbdcec1dd2e10e02bdedcdc4

SHA1
349ac78eb7143c562bc2257ad37a8d9e4b657d2d

SHA256
69e8fef3cc5bfdcdf6229c0690e6d969917fac1810f5de0b36748d713dc25969

SHA512
9972d43699779a4b1fe48c69b2367b94a2a94ed11b1ed5fac64f87992562223f73b6920db0c5a861ccc809a0923cef0444fb15689ceb457ef7d3a83ac79ec32d

Download Submit
C:\Users\Admin\Desktop\ConfirmUnblock.nfo

Filesize
446KB

MD5
b39fe3771073720306b13731e1402315

SHA1
149f234df429d4f8a36cadc3e6b52589fb6d9a6d

SHA256
56f2da6c56159f8fba7cb9e68623f9cacfae34d1899d640c67a42299067fa16d

SHA512
63e829a967864c6c72307643b354e0a318b9c17cfca1e9d95b6c99951d22370dca669a3ec0b0ddb1e6a721e5d46836aeb6ff43b029798f1f2db039c353d99574

Download Submit
C:\Users\Admin\Desktop\ConvertFromReset.emz

Filesize
574KB

MD5
216e8d282d22f503230ce1546ec767d2

SHA1
000820443c7b1b5c2cb3a7c2ccc7a9b6eb3af87c

SHA256
5d41b4e326a1388f9760df892f3f27485c9d18dd52d53dc0605732dab03b74c1

SHA512
357149512508e5e26176fcfcef4efea3caa0bf4ee36c73024f3fa67fb0f0d2e88cc1e7273cd95e2a1d3cceb1db90e7629f7cfb4149c863649befcf6a57ca2583

Download Submit
C:\Users\Admin\Desktop\ConvertToUnlock.ppsx

Filesize
421KB

MD5
8c2daad7cae2d60597531e63e04c2724

SHA1
4f9c3dd6d2d69f2c760592d70f8f949a07a52c28

SHA256
432c87a56d7c20dc4c0a1a30dc06abaf5d52698e4f1e73e787666d97a341d7cf

SHA512
7840a5764d845d675178113eafd8b2e3ed78815c3b20c94dde2a2e84332e9332bc676e92bc87ba26f29edddb4867f497cf277db09ad67c2aa8321c77c18e0ce9

Download Submit
C:\Users\Admin\Desktop\CopySelect.jpe

Filesize
498KB

MD5
dbb1a87aae40e9bdba9412aa04df8549

SHA1
f2e81cbf17d07d781a9f43eb223e215f824896eb

SHA256
d5e57a4c9aabb1c26873fd5c177e63c3958affd4e9792231dae4463697cde809

SHA512
c911a9add4bc16af0bc56be073caf71f252f3e69fbd352efbbc81836d902a0863427e36f5c8c0c8b9731fc1fdcd5343df0c6a187142c694342eb94784f78b4fa

Download Submit
C:\Users\Admin\Desktop\GroupJoin.pot

Filesize
268KB

MD5
de739202519ef87021d25cb9f3f7f34f

SHA1
3292bad669b9ad6c46bbe86967a94c50d4bf92a5

SHA256
897cbb7be9cdfb3d47e73655b98a3c724a33769a7a311507db27c3069b5d75a8

SHA512
23c97faa740d615f64a30ec72c094e500de8e775c0147da1f4a29935049c34f535d7d16915325b2664dacf2b51d80a75202db2ff658722c3787576dd567cabff

Download Submit
C:\Users\Admin\Desktop\MeasureGroup.odt

Filesize
676KB

MD5
75cc0b094236e52bf3729016b2e0c611

SHA1
3ff2e53a27a442d1fdf1e881147776b5041eace2

SHA256
aaf118fc8009fceaa4e6d4afd97cd75e45c5fa9f8389cc9cdf36e265cdfa6ea0

SHA512
1d315ec3d9f248ee0c0864c5c6f3651a49dc1866cf88ce7b02125a226ce4c11cb92f5803a8ca66980a5f4e75cf42b7b9b6610f0c1357b181f680ffe67cb17376

Download Submit
C:\Users\Admin\Desktop\MoveDisable.bat

Filesize
293KB

MD5
824eb45d4174842eade7a37def894a34

SHA1
4a5a4843572c81c86ffc21547506904ee9d13385

SHA256
bd0cc96df836bb6a3898f61e9b60b8c323ed8e549b435c6899036a4f770e408d

SHA512
7300f3fd65d6cdd905a2a2f597adb5ffde49582f581c820eb6dbc2f61c19e3263fbca07ce7a1f21475e666615bf566e809f468ea424c6227205149f592808073

Download Submit
C:\Users\Admin\Desktop\PushFind.asp

Filesize
472KB

MD5
890fa7c433bc43e6c4869d1aa2c8312a

SHA1
ba4b00c8e8dc3469e10cab65a96e5a7169b90e63

SHA256
323ed7769c59d7e48a403f92d7ea33ec0d444d2a2123786d426c2bea526ba3f9

SHA512
48bdefc99f4b8b7b50bddd764844b9fd05f3fd290ca70b15b9cb530db437e6920733808d7717816dfca488b5c2e3eaf3aa4d889f3e9c7f2819afcd694f9996f6

Download Submit
C:\Users\Admin\Desktop\ReadSet.wps

Filesize
344KB

MD5
5466f937159b5fa429786a31d5b8fda7

SHA1
c06983bf366e91a8861ad2f85b8c1b26e63c4d4f

SHA256
a580f620fd7aa59cfdf5b9bd8000f176ee670d8b1b461c33825ad5eb4efd89e6

SHA512
8b4d7a75bdcc4a3e55cb1e32dc76236306b6ab947d1fa78628fe70d70a5cc879a90310efba8ad2c660d88de68e2dfe93c5e674ebec523980ab5ca054378f9a2b

Download Submit
C:\Users\Admin\Desktop\RegisterDismount.cmd

Filesize
753KB

MD5
bfb12e499705a5875a2f98c55a18615e

SHA1
320b440b118d6ad276b75993584b9c9dacd84253

SHA256
90f7a7f757f67fc31190d132b2fa53488b4d0fbeb5a757c52913bba048e3daed

SHA512
946ff30ebc9e3acb0355faf3bd69643801b1796810f3f23ef78c741b4b9fdbaa49ee84c4cfd3f0ea6fe8e08713552b8aec4724becae566da48ffabb99dddf1f7

Download Submit
C:\Users\Admin\Desktop\RestartMeasure.pptm

Filesize
370KB

MD5
decb6a513aa020c204d5198e2e1efc9f

SHA1
e09ce34441fb7b324aa82d68b69bfd8144460518

SHA256
66a27c6f1a61f3d1ba4a0bd8c25b8bcce021ba5c74dd836783ea5b25de469ccc

SHA512
6a0c5d698a78f1df1aaac1c39078aee893c07443374a6ea0aee3a2f5acb662a4a6499235349cab40b2951129f2ee44f2b51fcf81e8ae647f486e4b30055abd52

Download Submit
C:\Users\Admin\Desktop\SelectConvertTo.tiff

Filesize
702KB

MD5
5eacdae08bc8676d5bdf054f6342e511

SHA1
380b7d973c990568834ce5f0406a3ecafae5ca99

SHA256
ce4ca5a81c333b686ca82320fa40a04b15c5bac5b1d3907ac52fd8d3b60d45f3

SHA512
d9a66346c50bc9a9e8e811343da817da16acd0968a07fc68d0bd32f2c2ec0e570e4d6867f64ce0429c8a7252146573cc724a50b78c89b7cb9063115f99ef625a

Download Submit
C:\Users\Admin\Desktop\SendUninstall.dotx

Filesize
523KB

MD5
67f4333e161ac57dd5c31ff31ea8a506

SHA1
6f219f8ac2ac4a6ba07b5670a0b429da19a710c2

SHA256
e3870823956b076c0b67e90a93e01ab1c20d05dd905726d575478b5cd30190bf

SHA512
08eabca362ce326d71427f0e45f51114282c3c0a84f4738bc509e628facad51992256f3b79ce89aeb712e82829de9d6bfaf540df96ea1f7bc5943fadbdde9f6c

Download Submit
C:\Users\Admin\Desktop\SplitConfirm.ps1

Filesize
1.0MB

MD5
2f7d0b088381c15a86a3db336f134675

SHA1
6221687499863e18b9ce03ff75659f48a699e2c5

SHA256
9919a7994fb4b39acda46af00db6c057f8cd3c73c3995a7240464db5e988bd14

SHA512
df1e224ec5b72572749be38ad9059853c231858cea2eca7795beeddf940ff19cb09d3ca2f2d353ad4c09d8b3b08f820d654682a837404a1c668247cbc7b70035

Download Submit
C:\Users\Admin\Desktop\StartCopy.reg

Filesize
549KB

MD5
7e18c371cf24ea3edd4ca689ec5fc203

SHA1
3267867f4c4f4c5e689061c15a91c0f22bac5253

SHA256
48491e3488bdd884c5ba9a42aac237ad9980a3243b99784a5488c89e4d6b7eb7

SHA512
d1be659f249817ac807f6cfdbe79f08ab9713e0f742f63df2e86a09c2769e3364f0e723c0431900e4917919f23df92de9b01a78903818c38f30d15108ae48094

Download Submit
C:\Users\Admin\Desktop\TestPush.txt

Filesize
395KB

MD5
a95e154ad2420516b7aa0dd3dd4b211c

SHA1
776da558ae6dd5548bda3264468b5447f7a7ca3b

SHA256
a6690016745f7dbb5ab895d22b62bd6e598d1462acc558af85cad3a07071252f

SHA512
c6dccc9072be77957ea99b3d8a21282ab35b29d4095b7e797e580001e61c3b03a7856bb6512ec24f8c8e9a294e495a4af04fae72c32209da98223db7e628d645

Download Submit
C:\Users\Admin\Desktop\UnblockExport.3gp2

Filesize
319KB

MD5
3b4756fe9aa46bda50461201a66dac65

SHA1
caf2a57a2f28b5f125fd537aa81b9aeecc4e0161

SHA256
21b0f1b000f80e6330bde2a5764d18ea61a69395d2a24cbbfdb768d405218bbb

SHA512
2c64cac929fc7106bb2c6b5856b8612245d408d4dd7821117e4cf086150e19ffb1f3c2adf73b614950ab2301b4940c68986077bf4f8ab7893deb44b7b2a752e6

Download Submit
C:\Users\Admin\Desktop\UnprotectOptimize.cab

Filesize
727KB

MD5
98f61114a36d7aecf5c1cb77b9f17b8e

SHA1
2a9ba22e3d1f9ed7efea0939f1d2e09dd926e76c

SHA256
d9ee5591965fc8eb43d573312053152347aaf7594f3f5c44e0ef70272acbd689

SHA512
f1f849927c669fd3027d05bc601873818984465e100d1924333e380fceea9539b4aa0c888b08759b2187a692c10029c4004e13155d484860569f491c542d069f

Download Submit
C:\Users\Admin\Desktop\WaitUse.wmv

Filesize
651KB

MD5
1b392159fa609e20858611f6e32d5edc

SHA1
3fb27c06e10efb81ca2cefd09063dd075f5ec2ae

SHA256
21a56c864bf3ab72c0252cf189106a71146ad04ae58922080e32a1ea7b69870d

SHA512
51f44fa89db0c3d65ee049fa55abb25968391119a421972de265ce6e7c1775a943ffc69124133adc2c2f1bcf2ba43905ba01d35f98ad36b386ed43bbbe412419

Download Submit
C:\Users\Admin\Desktop\WatchUnblock.ico

Filesize
625KB

MD5
2370dccdcd8830e52dfee5d032d7931b

SHA1
42ac161b26663c84b14f5856f65e7c8137da26c4

SHA256
4dfc8afba73184853295b5afd1603716ac5a7a58b3e1703ce34920b9db7f0d04

SHA512
d3c836ecbe9df10f6431f4f66d0293f027d44008f2fa6f2e9a58ce864196327110ed7a64a8243dce57de18a3991d9eb4e857f6d039113ec6ab0da111924176c9

Download Submit
C:\Users\Admin\Documents\ApproveRename.xlsx

Filesize
2.0MB

MD5
51ce174f540dc27c782bd476bb1d719d

SHA1
a29abb6b4ee11dbdcc2c853b1effc3d320cb54cc

SHA256
d99365cbf96316d43afd8263b15a84086de48de1f14cbb8da598be4d1fa28bee

SHA512
6d78f5a845665d438501bb0a814f72663889166e5db3b1aea4a2fe35cacad1c72f8be38504b26e0ab11db9e79c53b41f4ad3d452fcd4a3bd29824d3a7bb1a3e4

Download Submit
C:\Users\Admin\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\Documents\ExpandMount.vdw

Filesize
2.4MB

MD5
33b70f462201aae681a3cff155244c13

SHA1
3f3846b995cdd1355d6fe7b697f8816d30e41860

SHA256
db38ed7c590f5fd5b615c3b1ce3c05048b8bda36b204310d9bb89ae42dd0af24

SHA512
58ea0d2bfe1c8fd7f49bb44e34cbfc4db11e55245678b4b212675e57a5f66f6418eb962c9fae254ae667d587ed502bc362ba894051c3e9e07749e5065b6c2d1c

Download Submit
C:\Users\Admin\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\Documents\GrantPublish.potx

Filesize
1.2MB

MD5
f7ddc0566207ff8c9be2f35c2961e480

SHA1
ced8f90dc2ae5f81dfbffd649b2e352e61359268

SHA256
2723ee6f81b67f3706ddbfdd61013acefa4667028b8ff45c1ddc9cd9c9966b18

SHA512
e1c5ec70b52b88136036de010f150c6a910a5bad37e8ce223a916afaa1cb11f45ea85c6d7105eb8f1a95aebad790a696331f6c68ccd7fb317569a803a6055b91

Download Submit
C:\Users\Admin\Documents\JoinEdit.docm

Filesize
3.8MB

MD5
66820737da7be2b619368022acd8e362

SHA1
08520a601bc8b1cc4bdc261403ce3e3c71466d75

SHA256
1e6731fba710d424fa57dac4b2215f2a2b281f93c325c31a2ed3bbe42451354c

SHA512
bc4b660d38c8d16ec93c6fdaac204bb370789caa7dded216925d0f382ff772191944612ab09431e28356a0eb4a5aa5df5bb722a5d044fdedf85febcd84587d94

Download Submit
C:\Users\Admin\Documents\MergeResize.pot

Filesize
1.8MB

MD5
d67edd97f6ee7192005b1eeb4180ed33

SHA1
ba318f457ae9bf99a97a27ded0845c07c614f8cf

SHA256
9cd70ade098abed5289291d7c74ed7c65d9ac580cba5576a6decdc8327a9ceb1

SHA512
a99d6f3e5d5becd9f96f39bc8fa1b07faecec1b7e52361ae497fd40b27519d2e838cf90bb2cb3450a589681def7710e955e0222e6fbd87b7f0bc3915c1336e8f

Download Submit
C:\Users\Admin\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\Documents\OutSkip.vsdx

Filesize
1.4MB

MD5
71619424391f74e8427c5e23c5ef6b96

SHA1
1d6b2c5e20ac256b557b3ae52d2671cc61150aca

SHA256
bad1f66f9aa2c2844ac332d0be07ee28abaf3a7f94c836b80963d3db7dee719f

SHA512
8e6ff09f487e4a4e1992626cf0ca3c7e60338f8cf247292a17f562ac15c5b0fbe0f55e6fa7dbc3dc5bd2afca4773b6dbc0da34044f29b1f26338c87af4a01ca6

Download Submit
C:\Users\Admin\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\Documents\SkipExport.pps

Filesize
1023KB

MD5
b6a7f3c5efa00243a9c05f1aaff8a13e

SHA1
b099dba70ef880efcb9aa263fdcd7470595582cc

SHA256
cfd3c70f77e2271ef2680c24916616a02faadc3cd2da6c298b0476a24250250c

SHA512
577b104e423eaf97f36e7064223bd7f3f74ffeaf46888077bcaa72d6f02a35aa56dda69f4977624de81f22e8c6a58e657a563adeafe449bc7b34698f0035bcdd

Download Submit
C:\Users\Admin\Documents\StartComplete.vsdm

Filesize
2.6MB

MD5
0b57a831a204bbc33322fa38174e0f2d

SHA1
85b523729ac32561c77f7b97300a0069c1c9613f

SHA256
28d77248ad764cd0e17fd049edd812f96d9bee64e21573bc86ce4a1c38072a6f

SHA512
c4a8ab54888540a52215fba9aa6beea2374924628e26f024d9ca1253622752a1b01c88acece311dc1c8548599a8182573b37a3c9a5303b2b4130609708189054

Download Submit
C:\Users\Admin\Documents\SyncApprove.csv

Filesize
2.2MB

MD5
6bdc5f0d8873f0b1bc743fadeec6ef07

SHA1
506f8684663973e40767002afe5809ad826b27a8

SHA256
a9cb1da2cf9dd3e7f161b4c646104f776a0884f70f6dc046afeb7bb5c39db872

SHA512
27e473bdf51ddf5fc5684982078f5468a1f4640d57ee3e24310e42fae05ee94c4daf0b0c52d33865f78db826b6807f01b08a307d038a26a04c41aa7665cc483d

Download Submit
C:\Users\Admin\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\Documents\UndoResume.dotm

Filesize
1.6MB

MD5
731821a162185109ce3a58893287d4aa

SHA1
acab09efa2f22214f8bcebf9417f7f53041a3a7d

SHA256
83f5ab28ab028eb911e677932fa961fba9362f5dd184588628ef94d69b9edf0c

SHA512
a805a9f25d19aaa8c38888fb24e567685174d425285a5e91d040d2c796b3b0a71d150becf6bb8fb7d5a7da78f77dd091e882e4d8a8069a30a429e23d52467d7d

Download Submit
C:\Users\Admin\Downloads\NursultanCrack.exe

Filesize
439KB

MD5
7e05e661a0af483e90c4f01dad8b60bd

SHA1
7d1fa01b6613dbd952f227db85a2a335b0d6d1fe

SHA256
10eb9dea079b23cfda456ac3dfa7ab4e11258290a8cd69bf613b9d601ab6e0f8

SHA512
81a93d756c15c83e7bd8dae460002a63d773e3eb35a842aa6708bb9cdad775cb6e8f178b47a9e4f3220f4d0ad83cf03c38db1494705ca5c66106b641d20eec82

Download Submit
C:\Users\Admin\Pictures\ApproveWatch.gif

Filesize
324KB

MD5
4f82784b4597c7fc34ee3087bbebe78d

SHA1
4de686f0d2758f9019f7d3fc10987fba212bf1c1

SHA256
db31f98c766ddf091624e013eebbe0e1cc954a5aafae5d294f65d088cfafdd02

SHA512
5db06c049d2d83e51aad729d8eb15c5e64d8c4b6f0c1c97735e7dab4a880f6655dccf503d1a6e5621412ffc3b193cd53a22677f121144ba153bd74ee78118624

Download Submit
C:\Users\Admin\Pictures\CloseImport.emz

Filesize
349KB

MD5
34df208371e65958eb16f4071da5c8a9

SHA1
3757e9dcf1fbe311781495db464af4110628ab8f

SHA256
84b2ce5035fe3747d611413c84d0aaeda498c6e6dc880481bd1e707783cb3a9e

SHA512
cd0771ab20c6f9d055e0ea98633745b1c95702a699fd4cde94aca01c25073983e9caf84a1f1c52ac144ac87cda3a39c2e3fffe5019ee228225bc39c6775b4fc1

Download Submit
C:\Users\Admin\Pictures\CompareClose.svg

Filesize
374KB

MD5
f757fa10e0b9966aacc632cebc3a080f

SHA1
23df76bb8b797f08ea47a4081d07f55b1bfbd75d

SHA256
9908794bb956347d5ed0dd99d0ead90f1c9d640a2d7f6f05e28f18762c09ef20

SHA512
f5637569ef818012615ece665094aa4753aabd8a11c18b34f06065e45a55215724be2e39a1d9fab6396dea9a9c7380f285fd6337db55b560b8867faa0b64c168

Download Submit
C:\Users\Admin\Pictures\CompressWait.svg

Filesize
218KB

MD5
f6e80e97e9cb55a127817da5dc8e4030

SHA1
6fcb365d6b181aad7d9f663b7c86dd1ea2dc594b

SHA256
eb5813c27cc88f9df85ed499baae96d6731b6e821f664062417628d8f02f62cf

SHA512
0247e1a3e8bf6459e9ace43897b52f4519ded02802da095d5f5a5e06cbaa071b7593046ed5644ce4c23281980a335986db4686425f8b3061ccbf474197978305

Download Submit
C:\Users\Admin\Pictures\ConvertEdit.raw

Filesize
234KB

MD5
71600e23a28bfd0cc86355f1963e5414

SHA1
136928d66a3bfcca47b5278eba1f6967869e51e3

SHA256
6345324a869a1f80b2626ac6b9c7eec987723d22e7fa7073d813e69214eab9c8

SHA512
cb61407090f13120f73ff5203c302d0fc2e11bab027ef4c42d6d2892a34f3d261829607ddd243855d685a11d154f8c372f4b1656527de76917e378fea54ea0df

Download Submit
C:\Users\Admin\Pictures\ConvertFromOptimize.svgz

Filesize
185KB

MD5
ff941e4b19d91922f95a86c1a5bc6f21

SHA1
da7e224fc9279564670a2088b7825670dfe6521a

SHA256
5284b931f3551d765e92f4f396f57eab990b852b370120893d17cd10e393c9af

SHA512
7bc69276e4ce27fbff294927beaba5a38ff5976afa34d07dc56beea4d5311af8f23ff61783bf7d2ce6e3f69a87a0d96132b34cbb24e9b37ad59467cd0a223fbb

Download Submit
C:\Users\Admin\Pictures\CopyUnlock.ico

Filesize
423KB

MD5
9880c204aa16b3a3ef5e5509f49b4617

SHA1
47f34a17308cee82188bb23e18eaa726f9f949b4

SHA256
62633aeda590f77d62cfec840f75ba2430a5b42fec3eabc4957c5f8cee0313c4

SHA512
9ea8ae40a61fba39fd3b149741af6ad8f5db8ae21051b8c425d2487159fdbf56980886c0188cd6185081df78b85c45a0f78f904866fbcd4e25573710a05c676b

Download Submit
C:\Users\Admin\Pictures\DebugStart.gif

Filesize
168KB

MD5
db49289579185981636a2e513c86e38a

SHA1
98cc22a5e14967ae27a2565e680e758c81e6d691

SHA256
97a69843de19224452eaa45faf982fbec928f9a916df145784cf85394edc6a12

SHA512
fac5146a844cf1ecc55ecb325a440717c81b35320720a54531b3fcfc0980ca5347008fa59706d48e08dfcee9b78143cc1a3b4db10241b0433b7e1b8ec99034ef

Download Submit
C:\Users\Admin\Pictures\DenyGet.dib

Filesize
283KB

MD5
0095379b7e74d746cae4c351bb9b0e0d

SHA1
d97f91671df1ce8f1dcd7294720b5e8933c6e623

SHA256
02d51838d1388305746f2f0ca4018c1d23b0d0677703692266f6cf492b7bbbcb

SHA512
e9f54cc0663c053a72e19b11103336a8c9bbff02bf0fb710daa586dfb99914ffdc7cb764906079efc5e767e7ab616bb1a00b489fb941febcd71888425c28de6b

Download Submit
C:\Users\Admin\Pictures\EditOpen.ico

Filesize
176KB

MD5
f5eeb891e1149bbfc8c4d222f76c2b78

SHA1
7766f1e1d3cefd9d71d6a21f1805886d4335d2b8

SHA256
0d5bb04a70ba76582c35a9aba65dfc4f6d8f41eba48bea8254a915637573491b

SHA512
bfe5cb1ef6d890aedd3c51cc78e2fd888f58220a47f239046b95b7a9af00b3b59d7adbe6402a78fa7b094bce34866974acfe67e1dccb65beacfbf196c076ad5b

Download Submit
C:\Users\Admin\Pictures\EnableReset.crw

Filesize
300KB

MD5
75fdf399ba7b00e48312b1a7feea330e

SHA1
423b5ecf585526d562335da4ffdab4df4225aaf4

SHA256
62a8026aaef23525858026522a5129b202dab56aeb33aa5cc38fa03a8696d0c2

SHA512
5e98e8f7049ab8ab5fd62f03bd3d1526e0d96a7e6ad623e9f557a99c2938fe608bc3167f95977fbcde2e1aabd77338cbc8d146bd5cc56a058d01e1663fbe5533

Download Submit
C:\Users\Admin\Pictures\ExpandRestore.tiff

Filesize
357KB

MD5
f0ea64febc7e42d2bffc17cb748e32ce

SHA1
9fce2c5746288c90fc179f233decf5640a0f5607

SHA256
6784ee92e3ecca3dde4a06c9e12fc4309080614153ffdd108559df51ad4b81e7

SHA512
2aac61b05f46a3414abe6f42244d0a4c9daf4ba707c9bfa2c3ab032c065bd5e4a19eb55930ea1d0786fd0d334176531e09593b75e286b9b3c42c786dbb488d9b

Download Submit
C:\Users\Admin\Pictures\FormatUnpublish.dxf

Filesize
152KB

MD5
37b5e7dd4850b697593586043b2b9091

SHA1
1cd38cd0e482bb5eac184282f870dca762edfd94

SHA256
5da63f8df2eb42557a3add849e97650ae94d6f77de1d800d45524861df599756

SHA512
0569c0d49cd6419b2f40b9a41ca827268a2070392845b754cf2f89aaa79fbd423144c9b3a434f2ad427821b479ec29d5c7f6a7ba41557aed012d36cc24d01ae7

Download Submit
C:\Users\Admin\Pictures\GrantSwitch.dib

Filesize
226KB

MD5
97af6067879a12fe2f1a6b963e0b40d8

SHA1
265c8dd1cf196b3d901b908422550bf87ce93934

SHA256
264e24363c28f63d9c3b861165186552612bd6daaa6cfe0171f9a1a8ab7136c0

SHA512
53e0cc38c6145019f96ff969c7d35f8f7bd2e28618d4fc4dab7df02e5b6d81619cfb4ccd8c8515178575c240a49c7620e14a88d986d279c4963bbc37bdbb74c4

Download Submit
C:\Users\Admin\Pictures\GroupPing.jpg

Filesize
292KB

MD5
8f7704d2531f1a380747db1bd8b10207

SHA1
022e35a963015cfec1cf70e8daaa4a22895ec179

SHA256
d33dc9c3bc0fec694f90cfd7cc5af9cfd412609649744a365f68589065e836b1

SHA512
8836df9717d13f41b85f4ce7a79c2e7cf92469bb8afc0542515cc67973e5e92da975098876f8d1d7a5a215b3f56fdf65fc9b2919cf4e3d12f056a848b10632ca

Download Submit
C:\Users\Admin\Pictures\GroupUpdate.svg

Filesize
259KB

MD5
ffc432dc301463dd85509a3fb1ac4bea

SHA1
7ef20b04904fc80a82a8bb5a0a6f99c0fe0dcd2a

SHA256
9382087657196d30b986c4a148f3604afc1ca768292fd1937c71313bf7999f5c

SHA512
5fad0ce2355e694ebed7853b790c2d62108864b1c8a3d374ad942623705ce88be77d6bdfaa9fde60d74de3773b4785fc6897badd23361646ce54fb21bf30937f

Download Submit
C:\Users\Admin\Pictures\LockSync.raw

Filesize
267KB

MD5
f178a69bb3fb5dcf1fd05ecb5270a1fe

SHA1
99a6448227c79d6d3acbf1d40fc72b17451464c7

SHA256
464d66188db3183a75caff2e589cbace7a3f9ebe56fb90f207d2af4cde9350f7

SHA512
4b6727a3c2a75bdf603fbc30625efc7e2c27428ab19cd2ff06835bf2bd044e2b65db5daa73858415b4f6c69f993b9107bac0fe38b3cb40805b82a2725c134c5f

Download Submit
C:\Users\Admin\Pictures\MergeClear.emz

Filesize
250KB

MD5
7d3bc4ce89d7ec77b7751e15c0164097

SHA1
ae76957d1c3bf301ab012a7358ffaf0df80b5d63

SHA256
4687f086d1975c6ec7360d09b1489ab7551fea54d5c5e5427f01e0ca4ca9a92c

SHA512
f5f1384ba8d14e8e1abb8e20e779ad8eeb008190667e551e7a0618e207e297a83646c91cd7f9db1919e1fa13a92bd6fab75d835c83d6527f77eee88275346938

Download Submit
C:\Users\Admin\Pictures\MergeCompare.emf

Filesize
431KB

MD5
225d4cda0c86a4b7a3983fb2544a0db7

SHA1
b618f987bc9047bac511175e943823f774e87d67

SHA256
1f2d24f8c20da64a680ed0d8769ac436a3429dd1bceff553b3e4787522171820

SHA512
060159a4e425c2ea50212847ad0dd7f2de57fcddd1fe8ed51db14ade7df20c00df4641a900255a14e0491b7675d3f3221dd81b38d6384df433358eb854849ba0

Download Submit
C:\Users\Admin\Pictures\MergePing.jpeg

Filesize
341KB

MD5
055bafa9ef0affd08699d99a7b615023

SHA1
a89e2a794eb7d42e6e23e87ce285f80fa18c8848

SHA256
e3038608837d6d929ebc8555caffd3b98a7a3097d96b16c4a830e6b11e66440c

SHA512
9dca7582b112997e1a912e847b0cff726a5fc39c2ab3d8837f9b4f9f7c93b75c90bf63d8d05cc9eccbed9d0bc35ceaf601823b209955ba1da80a878db2d3e6c3

Download Submit
C:\Users\Admin\Pictures\MoveSet.gif

Filesize
382KB

MD5
7cc84b19aafda70258f9f4e58e3efe05

SHA1
a19cf14c3b114d680f966657c57dd197f7cef812

SHA256
19cb6c348f34961455611c56ea7ffca2f889aca7de8b9aaccc039067f94f879a

SHA512
73ad0550cd0b9fc5e83d13694a578101d5455fba6e8194f34d8267f797d32c0e7bb18e52de7110b6991d9e1fddf40a0d8e99d045f15477c49f44797ec9d92c02

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
943ed92b63c97313a015f8ee64cd7da5

SHA1
85ca5d583c10ddc1f562f4f07ff937f8d81e0b7d

SHA256
76f4182ffc414282185da0c3d8f56f28279be677575939bf3f0b13fc8cedc3bd

SHA512
e4f3439da9ecdcd06579c162aff0bbef965c9dbd494ad185a0f37f8629f2c5e9020b04c20d52db82ce7ba5aeedbd04e139f14215f09b90f0af83c5e60231ed8c

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
796ff3a8238bc0efa4a80e382e7589b9

SHA1
9c18143b482d0be2b1a582eb575d7162285e15f6

SHA256
061c3e9e9132b7cf86a245154104e5f817304719cb54ee32e98c4b0edd0f44c5

SHA512
4c2b7380e3b1fce6c03686d4e154c27b4cc8f9375df4895659ceae1687d6c8557a1793e3b31a1213a8b4697cb00bfada35152b43401c477bc2434479b6f91b92

Download Submit
memory/1568-690-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-680-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-692-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-686-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-687-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-688-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-689-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-691-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-681-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/1568-682-0x0000022272210000-0x0000022272211000-memory.dmp

Filesize
4KB

Download
memory/3168-703-0x000001D2E61D0000-0x000001D2E6222000-memory.dmp

Filesize
328KB

Download