Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-2q5jxa1hjp
Target New Client.exe
SHA256 2c37763ed709cb7866ca0571d60874990bf096e3aa430bc6f246aff84aa0ba51
Tags
dcrat njrat lox evasion infostealer persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c37763ed709cb7866ca0571d60874990bf096e3aa430bc6f246aff84aa0ba51

Threat Level: Known bad

The file New Client.exe was found to be: Known bad.

Malicious Activity Summary

dcrat njrat lox evasion infostealer persistence ransomware rat trojan

UAC bypass

njRAT/Bladabindi

Process spawned unexpected child process

DcRat

DCRat payload

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Disables Task Manager via registry modification

Executes dropped EXE

Drops startup file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks whether UAC is enabled

AutoIT Executable

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Modifies data under HKEY_USERS

System policy modification

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Kills process with taskkill

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 22:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 22:48

Reported

2024-06-17 22:52

Platform

win10-20240404-en

Max time kernel

217s

Max time network

218s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A

njRAT/Bladabindi

trojan njrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Windows\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." C:\Windows\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Internet Explorer\images\Idle.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Common Files\DESIGNER\cmd.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Common Files\DESIGNER\ebf1f9fa8afd6d C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\services.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\c5b4cb5e9653cc C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\ebf1f9fa8afd6d C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Internet Explorer\images\6ccacd8608530f C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\cmd.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A
File created C:\Windows\rescache\_merged\2717123927\1590785016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\RemotePackages\audiodg.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\diagnostics\system\Networking\it-IT\dllhost.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\WinSxS\amd64_mtconfig.inf.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_ba9db1b5baf3a450\dllhost.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\servicing\it-IT\sysmon.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File created C:\Windows\rescache\_merged\4032412167\4002656488.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\RemotePackages\42af1c969fbb7b C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\svchost.exe N/A
File created C:\Windows\rescache\_merged\4272278488\2581520266.pri C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe N/A
File opened for modification C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065551368052" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fac000000000000002000000e80706004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000579ef6c308c1da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80706004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000007f57e9c308c1da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006772bf1b8a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\svchost.exe
PID 3924 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\svchost.exe
PID 3924 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\System32\cmd.exe
PID 3924 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\System32\cmd.exe
PID 2584 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 2584 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 4500 wrote to memory of 4156 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4500 wrote to memory of 4156 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4500 wrote to memory of 3000 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4500 wrote to memory of 3000 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4500 wrote to memory of 4028 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe
PID 4500 wrote to memory of 4028 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe
PID 4028 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\System32\taskkill.exe
PID 4028 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\System32\taskkill.exe
PID 4028 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\explorer.exe
PID 4028 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\explorer.exe
PID 4500 wrote to memory of 3612 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe
PID 4500 wrote to memory of 3612 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe
PID 4500 wrote to memory of 3856 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe
PID 4500 wrote to memory of 3856 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe
PID 3856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
PID 3856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
PID 3856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
PID 3856 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 3856 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 3856 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 1724 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe C:\Windows\SysWOW64\WScript.exe
PID 1724 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe C:\Windows\SysWOW64\WScript.exe
PID 1724 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe C:\Windows\SysWOW64\WScript.exe
PID 3668 wrote to memory of 4168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
PID 4168 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
PID 5024 wrote to memory of 4152 N/A C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe
PID 5024 wrote to memory of 4152 N/A C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe
PID 4500 wrote to memory of 3444 N/A C:\Windows\svchost.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 4500 wrote to memory of 3444 N/A C:\Windows\svchost.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 4028 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\System32\taskkill.exe
PID 4028 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\System32\taskkill.exe
PID 4028 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\System32\taskkill.exe
PID 4028 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe C:\Windows\System32\taskkill.exe
PID 4500 wrote to memory of 3124 N/A C:\Windows\svchost.exe C:\Windows\System32\shutdown.exe
PID 4500 wrote to memory of 3124 N/A C:\Windows\svchost.exe C:\Windows\System32\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\New Client.exe

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 5

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe

"C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xf8

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe

"C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe"

C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe

"C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe"

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"

C:\Users\Admin\AppData\Local\Temp\Locker.exe

"C:\Users\Admin\AppData\Local\Temp\Locker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\RemotePackages\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "mobsyncm" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\mobsync.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "mobsync" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\mobsync.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "mobsyncm" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\mobsync.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\NVIDIA Container.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\NVIDIA Container.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\NVIDIA Container.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Downloads\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\Idle.exe'" /rl HIGHEST /f

C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\34471632a4cb4fd6a6300a932e148197.mp4"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3a1e855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.112.102:19036 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 102.112.67.3.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 11.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.189.173.22:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 22.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 narzieo9.beget.tech udp
US 8.8.8.8:53 udp

Files

memory/3924-0-0x00007FFD2F955000-0x00007FFD2F956000-memory.dmp

memory/3924-1-0x000000001B800000-0x000000001BCCE000-memory.dmp

memory/3924-2-0x00007FFD2F6A0000-0x00007FFD30040000-memory.dmp

memory/3924-3-0x000000001C230000-0x000000001C25E000-memory.dmp

memory/3924-4-0x000000001C470000-0x000000001C516000-memory.dmp

memory/3924-5-0x00007FFD2F6A0000-0x00007FFD30040000-memory.dmp

C:\Windows\svchost.exe

MD5 b97e69b04ea6badd1ea0109ca99ca37a
SHA1 b586b6cea648c2e182636a00c7a2a3b9cfd4df45
SHA256 2c37763ed709cb7866ca0571d60874990bf096e3aa430bc6f246aff84aa0ba51
SHA512 74db6ddbff35a640ece2e9f2ce2c2dbe385144f6c11c279e515138fc802a997bb42581bfa1f29313de656b15f757d946ab452f612153cace5143e9df3ebee6a5

memory/3924-17-0x00007FFD2F6A0000-0x00007FFD30040000-memory.dmp

memory/4500-21-0x000000001CB00000-0x000000001CB9C000-memory.dmp

memory/4500-22-0x0000000001740000-0x0000000001748000-memory.dmp

memory/4500-23-0x000000001E680000-0x000000001E6E2000-memory.dmp

memory/4500-24-0x000000001CBA0000-0x000000001CBB9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

MD5 7f671d6d2e4532b72089ef8937aa0e3e
SHA1 469a4a15b5ea3f59e0d0daa03d3dc10d2959b234
SHA256 cd856e5705876d46f5e5a80f5ddbdba6b253232b5104302e5ee503fb6601d402
SHA512 185f20728f2ab206866930d532cea568c07514eb8cedd33c77a84815e3148be7af75ab8a6f46b5d45324234c758bd4ffaf7a5174c8c6e5b00970aab7a78f43df

C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe

MD5 80c506da3df5e4580c06c48162bccbea
SHA1 43fbccf50f91cd8e1190869b0edc96d920519c14
SHA256 5699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb
SHA512 f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5

memory/4028-36-0x00000000002D0000-0x0000000001694000-memory.dmp

C:\startup.exe

MD5 12b162b0c010fcc23fa43b03cbb76509
SHA1 a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00
SHA256 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180
SHA512 f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4

C:\backg.jpg

MD5 aa8212e3f48d35711f219cd9bf1265ab
SHA1 a3b17cc5311f23cc2db204f5b7081cd7d170094d
SHA256 ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200
SHA512 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261

memory/1936-189-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/4740-191-0x00000261B6600000-0x00000261B6700000-memory.dmp

memory/4740-196-0x00000261B6A50000-0x00000261B6A70000-memory.dmp

memory/4740-214-0x00000261B6E00000-0x00000261B6E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe

MD5 1849f89a807de47190139035f6148366
SHA1 0e23f3cfc246483f5dd17815fea3d5011f6611c7
SHA256 131c1efa923313555608e90d97f0a2d8fdf3fbe4695397278ca391009148f9ac
SHA512 49398d7a4f763caf39385945abbc3c028be655fa4d89f05b638708f2e1d790c94deee45e3fd14c7c34acba71c037f6d155514c69342a2257f1a21c084488d154

memory/3856-258-0x00000000008F0000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

MD5 531bf67134a7c1fb4096113ca58cc648
SHA1 99e0fc1fb7a07c0685e426b327921d3e6c34498c
SHA256 67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a
SHA512 8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

C:\Users\Admin\AppData\Local\Temp\Locker.exe

MD5 a83185ef7c03bfe0e0fbe10098876a34
SHA1 b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA256 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe

MD5 d7df2670ad0c6c7b9cc48122f20f086c
SHA1 e69bf8c214d8c4b768125ca03e402e1c871cc233
SHA256 d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b
SHA512 05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS2.jpg

MD5 cca27415b786d200913522217acf8522
SHA1 be4cb7f3d444f6a715a6868243810181fb1eb1de
SHA256 2f18ae84098647ccba038f6a3da82b03b1b43e1f035f4a6d583c63f10d0a40c7
SHA512 b9ead104aaac9da740cbd333fa7afc68148db77cfb56645d5793f91ce4e61d7e42a0f720698eb706efd2a8ee97b7189b8bbe26f6cb3a2470c2a5fdd88af4c3d7

C:\Users\Admin\Desktop\Lock.HideSkip.scf

MD5 2fe435ff124a9c6f82e24632af0c5b12
SHA1 c7747bb56d65e2099af3494f3f77c3df2fbdfa41
SHA256 c0c40f9c127b6ebad57c172f849995174cb748b67bb4788d845e29f6ca0c9618
SHA512 3387084c3ce424f31a536d9045a0e7e446a6f39bbce277f24dbc678ec55aa4a767d4b9aaedf9a044b93df1770810202918cc010003c26c4d177a794f1f35f7c6

C:\Users\Admin\Desktop\Lock.RequestSelect.cr2

MD5 2c58f320d1cb126ac687b2f957bd79ec
SHA1 9f43467378dda9533ef4b63930c6ac6e256a9849
SHA256 057bd3a42648c4b0e4502cc2c8161e39ab39a1cb739b50824c0509e2a2d65b94
SHA512 5b8b09c197f3a9c21ffe876efecc7236ddc57194329d3071a660648d4d1f2570c4822e0f293606190c498998087355d794fde313db0ce0c843724c2ece6a276e

C:\Users\Admin\Desktop\Lock.AddProtect.vsdx

MD5 c532dc062d92dd3eb971b62e33f48829
SHA1 e92241a8656a2ce6f2a5d84dd97c6d5c8843d20a
SHA256 9ec1f4d3687aea799a58bc5576e056f6214a9915bcdfbfdcceac0328b0ad1950
SHA512 f673f6678361d9b7be45bd44fa8e2b9c1986de54c768f2889336e0d81b79399353f2dee3293c979a5aed98b8a74ad628a37bcec5efd7be2aed4a2f8eaef28f13

C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat

MD5 7784d810f5ff3afa8df50e360eb90e7d
SHA1 f04802a991ff6461aa1c35b7c0f68e43d5a114c6
SHA256 0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0
SHA512 80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

MD5 4a591f46c87b49a7de93f5ac771cd4ab
SHA1 e0992350818e5c56d3f2e3a6db340d1f5b8f3314
SHA256 b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd
SHA512 b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

memory/5024-366-0x0000000000FC0000-0x000000000112A000-memory.dmp

C:\Users\Admin\Desktop\Lock.EditReset.xlsm

MD5 2675616cb73e40186ce56f7efadc4331
SHA1 acb870eea9ad6b4b27e3c97d13247e815abb21be
SHA256 6b5be96f18c14f9871bb7f8b422def4902d80ab58fe9cd2652542bed413030eb
SHA512 3fc9fcb1fd70493c6c24a797eb7890f3f8c25016b297ec8b2d6a73bd1f8fbc12bd40a8f6cc7947e49b179a721b19630a39902e3982511b9ba6e95cbe00e023ce

C:\Users\Admin\Desktop\Lock.ExpandClose.mov

MD5 4d9b8ee0b2759c30ffbe9008253091db
SHA1 c61d4d2ac4d19c3d61bdd6094d1536640fe03ed4
SHA256 2f44ce0860b6456a461441d9ad08f0f0c53befe85d644269ec2015c8995c9cc5
SHA512 660b1c46cf1122c4262140db501b2918cb82b818de16073841b8850adb3aad15b3e0761f4f7c8feab0586cd72de8ce350ed8976e2c86b9bd142bc519dfe29b13

memory/5024-377-0x0000000003220000-0x000000000323C000-memory.dmp

memory/5024-380-0x0000000003260000-0x0000000003270000-memory.dmp

memory/5024-383-0x000000001BC60000-0x000000001BC6E000-memory.dmp

C:\Users\Admin\Desktop\Lock.GroupReset.pptm

MD5 15873049fc4517736583b610007b5bea
SHA1 b7f603e86ccbe1721430be19521b940f3f13fe7a
SHA256 41901a30a34fcb0bb1e41f770c3426166a6ca3014e53da40fa06aa073f085633
SHA512 78d5ccd90c5a786bd99b5ca68156f3449fda1b2414f7adfac6712f5efd111e2db0fe0049575e24e7e6f802ca4a2c53c28da166199713b5e7dc653d20bf0186e4

memory/5024-386-0x000000001BC70000-0x000000001BC7C000-memory.dmp

memory/5024-382-0x000000001BC50000-0x000000001BC5E000-memory.dmp

C:\Users\Admin\Desktop\Lock.HideConfirm.docm

MD5 4cc29d69d0c48e32f9d2d563378b0670
SHA1 66a7f2d8c4c4e79a1000d57ade420152fc80d908
SHA256 5052865521225eb84891c07a65e3df20a3feeb1e88966ce94897c67018cd7eac
SHA512 135cd43102a4d85067e08e121017d49571138d4a19c026aa20b82e79665a11d342c8a0b90eaeb02f4a0c7c4bd492fcc1b39d311849f6e13059ca174703b2b4d6

memory/5024-379-0x0000000003240000-0x0000000003256000-memory.dmp

C:\Users\Admin\Desktop\Lock.InvokeConvertFrom.m4v

MD5 58cf30eedc4918df754a6d6f9c4b8975
SHA1 93d54a25e4dbde672eeaccdffe5174d091a39f8c
SHA256 09be51c41d2190b63aa949f91994d6b64364327ee4d15f912b1aa7db7738f61e
SHA512 88e3c8023dd0490a3bdb778a8d3054159b3dd294e9839fdef2603049dbd38cdaa7dc23084af9294856a4c16ed9aeccb40913aafb41e964948f5e10010dbb9395

memory/5024-378-0x000000001C2E0000-0x000000001C330000-memory.dmp

C:\Users\Admin\Desktop\Lock.ProtectImport.3g2

MD5 3f2c02c8717225739f6a05388edc2cf5
SHA1 abb703c47eb19296ecf5a8c8565d3885ac83ea93
SHA256 7dc5fac2c03895ed65df8cf833264df6e5c1ea1777626a81c6b834d10bdcf6de
SHA512 8b2f6981a7d2233fda06a33e2bedc8b83de126913cf25bf090c73bafb45289d8fb0e3768047d470f1240d98cbe5b45a78b11875d0f60d4e01591539577706b38

C:\Users\Admin\Desktop\Lock.ReceiveSend.vdx

MD5 20a7d1004bb49a287d89b2ddc089d8f1
SHA1 083560033c9418b00525b2555e6e9cfff984f036
SHA256 1c90cfd667674cfe40bb87cbccc60f49dd3b59c4dc5c5f5cc974c352cd30524f
SHA512 cd3be3af940026d6ff3f7c6a3e36ae549688ba6dba5eed7affa1f5851d09a1bd37d088674ee11e15c28644e13d9b391ecc990c510a7d7285b62babd77f796930

C:\Users\Admin\Desktop\Lock.RepairHide.docx

MD5 d2865a0af2a50f65920ddc461858ddb9
SHA1 6c16784a6578747bc91684b111033291204b74e7
SHA256 20c0cc7707af5a4f25449feca01f0d5e7ab262376980aa7731c8ff34f60dd95d
SHA512 80e3eb645db26ce0fedc9e2311ec6308e994a4474426866735218e29812a2f8f284405cf0858c4089138b34bc2f93484778214048cd56eedbe213c09d3f8d068

C:\Users\Admin\Desktop\Lock.RepairGroup.docm

MD5 931874d283b0f45bf6cf09534137afef
SHA1 5b852a470618a65fb6ce02f243e666aa4d346309
SHA256 bf509b82aab60e0b5665135283c470c7feda7031df2f15dcde04789129530dfc
SHA512 022db68a101fefd8ce9b79b61da0909a745201f7c3a95c3d747d658aeb9d3858b9aca97573232d0d24db28d4d41161ea6b21a9c631f9f54217d967f125137f2e

C:\Users\Admin\Desktop\Lock.StartInstall.vdw

MD5 ac46202fb503cdb9a545d0b00a49d0c7
SHA1 45cb5cf1feebfd590efae770cac284131f08d432
SHA256 b641f7ada1219913f254912a929be3e018639c48a84b68c85c941466edd0141c
SHA512 95f19a49830850af60b54502ac2830fe125c7f651de2e258a1e3598bc2dc4500b0e3664d9070f5f83b82b96e51d0ae9e951fd7e0b7a6b6f3dce667fe626c4b3c

C:\Users\Admin\AppData\Local\Temp\aut9EB7.tmp

MD5 7c30424c525cb64760083e066ca1f77d
SHA1 69c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256 b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA512 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

MD5 07633ba66f1d47a46791dd4e31dc205f
SHA1 5a6096eb2122cd089dd5c2c20d02079631e074d7
SHA256 cbd11c45f80a45a7219c0590b04185250e1a9b898d9b905837808855c785431b
SHA512 fbb026281e5bb96ac2615747a9d8e942fe73e01f5390b4f43aad425beeb854957691e9b90c2068d6e99b2d6189c5637e4ecb05791f1017580f2af1fb08283505

C:\Users\Admin\AppData\Local\Temp\34471632a4cb4fd6a6300a932e148197.mp4

MD5 e8653029eedb0e8e72a610d15c77907c
SHA1 1eb9f618ef3d2f2711e166721d3f5047313073e5
SHA256 9c066096d1c6c277bb85c2c1e2f1371a964ff544b8187658cd35a79544f30c1b
SHA512 6665da01a2b1923c0064856f60d99114dfe266a2660cd749da195d19b42b8e2e2c93232b548029e725b09d5657bb6c3a609b806086d522751e185f3925ddb915

memory/3444-545-0x00007FFD450C0000-0x00007FFD450F4000-memory.dmp

memory/3444-544-0x00007FF62A0B0000-0x00007FF62A1A8000-memory.dmp

memory/3444-546-0x00007FFD28E90000-0x00007FFD29146000-memory.dmp

memory/3444-554-0x00007FFD32530000-0x00007FFD3273B000-memory.dmp

memory/3444-553-0x00007FFD44330000-0x00007FFD44341000-memory.dmp

memory/3444-552-0x00007FFD45020000-0x00007FFD4503D000-memory.dmp

memory/3444-551-0x00007FFD45040000-0x00007FFD45051000-memory.dmp

memory/3444-550-0x00007FFD45060000-0x00007FFD45077000-memory.dmp

memory/3444-549-0x00007FFD45080000-0x00007FFD45091000-memory.dmp

memory/3444-548-0x00007FFD450A0000-0x00007FFD450B7000-memory.dmp

memory/3444-547-0x00007FFD45130000-0x00007FFD45148000-memory.dmp

memory/3444-565-0x00007FFD33260000-0x00007FFD3327B000-memory.dmp

memory/3444-564-0x00007FFD34D80000-0x00007FFD34D91000-memory.dmp

memory/3444-563-0x00007FFD35B90000-0x00007FFD35BA1000-memory.dmp

memory/3444-562-0x00007FFD36CC0000-0x00007FFD36CD1000-memory.dmp

memory/3444-555-0x00007FFD24090000-0x00007FFD25140000-memory.dmp

memory/3444-561-0x00007FFD3CBE0000-0x00007FFD3CBF8000-memory.dmp

memory/3444-560-0x00007FFD44300000-0x00007FFD44321000-memory.dmp

memory/3444-559-0x00007FFD33280000-0x00007FFD332C1000-memory.dmp

memory/3444-598-0x00007FFD28E90000-0x00007FFD29146000-memory.dmp

memory/3444-607-0x00007FFD24090000-0x00007FFD25140000-memory.dmp

C:\avocado_icon.ico

MD5 6d362a3e515cc18d537f74fca1f75293
SHA1 99a5b363ac274e027530fa7a532a007b0e6c56f3
SHA256 c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42
SHA512 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821

C:\skream_icon.ico

MD5 21a8888b16b257c094fd38d09612fc48
SHA1 9ce7e89da63c663987c9624a845144a4fecc3e72
SHA256 e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4
SHA512 cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2

C:\ben_icon.ico

MD5 35ed09899d21d2f9806e5c4eb1411324
SHA1 5afa7972868a84f4e49d65f149aa09dda07870d2
SHA256 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3
SHA512 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820

C:\whenimpostaissus_icon.ico

MD5 57a21de76111fd67dd32bbf5b8cbbe8f
SHA1 127d6c20da0234ac8bc9dd65391fcfd695185274
SHA256 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f
SHA512 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629

C:\speedrunner_icon.ico

MD5 a0bd05bdf6641d55fff217fc45b6e7a4
SHA1 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3
SHA256 c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2
SHA512 bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3

C:\xina_icon.ico

MD5 0f111a8457f17592240624b2e80a6c61
SHA1 23b009e988c3a95d9e8ac97e9baf2979dda3211d
SHA256 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f
SHA512 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe

C:\theme.wav

MD5 e4f642067670a4001d31ffb18f481f96
SHA1 538336f1beed8f74a0913454265cbcce4822c4e4
SHA256 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960
SHA512 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c

C:\the_wok_icon.ico

MD5 8e1462f2d993e1bd6fd00268623abece
SHA1 67367e20f64d32ab8d1840dedd91d686ac989952
SHA256 ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5
SHA512 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace

C:\ustupid_icon.ico

MD5 6e3e6e1a0f01c0168c7b1fcb4e63a89d
SHA1 785688b7caa8f28583e417a651517b721405d835
SHA256 b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634
SHA512 d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99

C:\guy_icon.ico

MD5 caf2b6d49aae9303b222fdd06b91f10a
SHA1 12b967bd3aafa465c228551a7cb2d70f8b9f972e
SHA256 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8
SHA512 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d

C:\rock_eyebrow_icon.ico

MD5 56afb11ebd7367af4c03b065ef3580f3
SHA1 4f30fbf3d5c0469533c1b33b98aa612e6704c14b
SHA256 da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7
SHA512 eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4

C:\walt_icon.ico

MD5 fa516d1d0fce7db4dfa81e73cf74e917
SHA1 ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0
SHA256 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af
SHA512 f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f

C:\obama_icon.ico

MD5 f89f675153effeea979e32716d1dcac8
SHA1 84780277f79505ccf920d13391726741e127a79d
SHA256 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7
SHA512 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff

C:\bom.wav

MD5 1c782f17124b6eea9619acc46fc165a4
SHA1 aa22fe4a52723cf2ec83af3b478531c83ac1c589
SHA256 9f1c04f4d37d995f9f6cdb7751be399468c275f91c35f30bdb45ff9ff31190eb
SHA512 2b63129054cffd9037963f9e42c46c489e697f81109f8465c9cf3915894f143ffa444e9fb1bef195111ea915f36b51f08246b5ddc7ae5763d056bd0c8b0a7921

C:\dad_icon.ico

MD5 8883262af502c220932bbc50979391ca
SHA1 0be9ff95e86e798493f5f067a6dd3ddec9ed6832
SHA256 f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6
SHA512 ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076

memory/3444-739-0x00007FFD24090000-0x00007FFD25140000-memory.dmp

C:\Users\Admin\Desktop\Lock.ConvertToEdit.wax

MD5 1e452a44ba9b4ad84a69dfc66eb9a711
SHA1 1fb3d299cc0f1f2563b6105ebbd76fa8dc4e8823
SHA256 91f04d2726d93a61248df4e402ef2b10840ceb46668afe87c9b37fb1452db9fd
SHA512 62942d3d73db333e136fbf16c604ecfcdd39e6757364c4003cd2631278a5dd2d899259b5e56528fab4d872d3bc95c4b1151b1c0e894f6b713e71ef6248d17e26

C:\Users\Admin\Desktop\Lock.FindRestart.rtf

MD5 ba374f16fcaa0efad37a2ad71c3ff179
SHA1 9847f62f87812c43bb00cc23688d68414296d30f
SHA256 9ea5ba86d7b082e291474a496e8f7186b356d535be0eb75294ea05fb84688786
SHA512 788924f49a58983453eef5e5817f04681f57f1cf37f29bead4e1c21247504c6d24f5b29ab4340bf9519ed12a2f1bada0175b993c7acb1c1383348337ab519012

C:\Users\Admin\Desktop\Lock.NewSearch.rar

MD5 2b5fde6fc8d15d6b216055f659b815a6
SHA1 829a6189b04593e0a06e9af1acc1aeb2e7b88fd8
SHA256 f58889910b4e3fc77a2314d0f768d77240af1b394fc10f48d536252f9d540818
SHA512 47b9d026a5507865eaf9a6d66eca0bc8abbdf5faf02f47105a28aa35e3fe502b64cd1f9a49906fd5b583fa7aca5e7d079958fbbff69d9d10df218f60f08ad446

C:\Users\Admin\Documents\Lock.DisableReceive.pptm

MD5 e21a5734c54b4ac790e8a1d657cfce3a
SHA1 bafe6413eec5153958a3b830ef65df74a0a95da2
SHA256 484141416943c3975550995b63eb326767d471e82b0063827d83ff291de06e43
SHA512 68721eeebeaeb7be63df1cca7da892aa83c4385f5b3a43cb40a137c0a0ff65aca2e95b03425999c492d45447fedef7305bb64de6c437bd0246815066eebe4f3c

C:\Users\Admin\Documents\Lock.desktop.ini

MD5 7835655816219d921dffbdb312396000
SHA1 bee4392a2a21f1faff64510296ed6d29d5ba6e7a
SHA256 4ef42b28c2d34762c16b1b31beae549b7a01c891ecf402fe5fe84b79f12afce5
SHA512 cbaa8c16f5d04486bcc0d29a5d03dfd6443a5b950f4011f0a274ceee82fc5f1d57101fefef8abfbe072140856af2c8246287625a5f3d7575ee798024c0accdf0

C:\amogus_icon.ico

MD5 43042269818924374a29891d79cb676b
SHA1 f34ef8a688e15efa9c0117816a617892a2730bb8
SHA256 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187
SHA512 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31

C:\Users\Admin\Documents\Lock.ConvertToMerge.vsdm

MD5 b7817276b37a482e085c05595c6b5caf
SHA1 fcb810dbafecf803b27526d076311228c8484b63
SHA256 d9388119bb097edbaa0da9b71f52456113eb285617cf359e5f7c74aae891851c
SHA512 be5569c08dff4fa71de354709e43b63dbcb5b70e5f17767b03e9eb5babd724c3b7c852af8e3b595427b954c65b77356d979d9ffac77662d48fa9e7ede627c61a

C:\Users\Admin\Documents\Lock.ConvertPing.vst

MD5 f51cf9d4fab6eef74dc35da703261d00
SHA1 0b98c40b3c294eb8afc340a784fdeea98153767d
SHA256 399236c1e5a3baa00dbeed438df8dc86ad0a9711dfd3bb2e9dd8064fd113ae74
SHA512 5536b4c6148ccd718aa269b17e0141ffd984f7819fc8248f26656ab77cd6a5cda9dbda060251eb5745ba6e653cffe6cb11f8f558b9d8455c156fde06e9898cb3

C:\Users\Admin\Documents\Lock.ConvertFromCopy.wps

MD5 b7e7d6250d75494900f8fd423d251685
SHA1 72e920935362eed1ecb4ec49823ac1bb0824e0f0
SHA256 79d80a290c37bc5499e7edfa4fed87557d70d0dbb2f9d6936941d2cf56475b8a
SHA512 129dcf313f9611fa844033a4c2f88fd27d1a3397cc65871ac25c6d6a7ace9992132d8d18db9fe6fca075dac64cf1a2a419ae73cc21bc339668ab47a157ea5d8e

C:\Users\Admin\Documents\Lock.ConfirmRegister.pub

MD5 f08289e66fa6a11d4e2b4c066e69ec98
SHA1 ae00597c07f18bc66ec5ef6b7e12b2e5dbd87ce0
SHA256 1891bec793ec502481278abea827e397d72d1c0fc7f9e34cf920cb7db49cbcc7
SHA512 7068069bb86b796cf5b701f7aff041a6ce0595a4a23c2fadb3d9e027cd9d1975ec4668af777183f00fcd4ffda4b9a17ea217239f49fa489d2fbab8ff4a123073

C:\Users\Admin\Documents\Lock.ConfirmApprove.docx

MD5 2a1bbfbc3de63cf35279e4623503a4df
SHA1 e273699e3151cdbf203afb5a88e9c93fa9cd627c
SHA256 864aa7af02cc2645469a9affc6bb4d377c5d06dd3c14bb83b14716994dd08257
SHA512 dce95f8c373ddabd57d832296d1629e888f1fe141d473d683e24df4127ff0732c31b21705184d52ad731761c6ecaaa2a578b13df741e7c9d06a6ad62ee628d07

C:\Users\Admin\Documents\Lock.CompleteRevoke.vsx

MD5 bb35d7dab34b812618c837ffbb2cb684
SHA1 556e47cfde88f3eb76a1fb8232d87936d5c6c6ab
SHA256 6e066c04cd5348abebddc619e47ee02cb378ef32eeb8ff00609081bced57da16
SHA512 d16ab37689cba81955091ebc3f285e68e9bc4d64283aeb7b8db7ca9d7e17b2314130e51b778c71fb964fc28361ef91053dc9e042c4af99537d0609db3560538b

C:\Users\Admin\Documents\Lock.CloseRename.odt

MD5 04d40a37ce305c670b9fe3a7ae715703
SHA1 d24a34754b927de4fa29af5bee066a7258223208
SHA256 02d57d340ac868ce4ba0a4a343362e6ce96e304b2fb7ad978c468bef5625f05e
SHA512 4bef0f9938ebc69de49f26b8166b781cbf08fe17b5765b0dec5e208ab29a4c12bcad33e973c1654686e0252a0640e835078ea8ab0bc15248c748965c9e0daac9

C:\Users\Admin\Documents\Lock.CloseCompress.xlt

MD5 e752200f3a47325ff48bdad91cf7b960
SHA1 739d0bdcf4f4c3d90db1ba13f6b4d54008ebfe27
SHA256 4b557de62fd441cb662b6ed046075f1a962b9c3e3c76c774ba73e3a99d21b51c
SHA512 d99ff4dfc597cedae4d29bd9a2b07106f7d85df27a8acb006e19df59715ff2fcfa8c022d7fcbea7a7908e8267153aed9abe057fc595a5b20bf3d975baca8d8fb

C:\Users\Admin\Documents\Lock.Are.docx

MD5 4d3e6bbe44de5513c1733b3e0c6eac64
SHA1 cd3a00fc52b12f900bd4a87482d28021e2787265
SHA256 ce28015b2b93deed2c7569c325e811aa9a0eef29070ae6f73e59dbdee7009fc8
SHA512 11c128b5a2dfc97a57c5cb49ad31841179344bd3179db15c71f0a3bf11cb61101d1bbc2e125baa8532f383360198c7843d01e8dd63c3b2340d77351db8ad419d

C:\Users\Admin\Documents\Lock.ApproveInstall.vstm

MD5 3273525dad0ee4359cec07d88238dce1
SHA1 44b6807b74d7d6325f454b74687f48c1e41f30d1
SHA256 6a130b27d6d702ab41822dfd475fc8aa9c0bc0bc19c2c22d873cb749e2dd2e80
SHA512 428f0db57a20896fef50a026ddc2f3c9d236ca41db353fec564fad9924c0c2a1360110bad678ec348d055287d76a5e8b109996f2e6a2e084d99dbf93725910e3

C:\Users\Admin\Desktop\Lock.StepPush.ods

MD5 6c2ec6cf36bdf86ddeeb616094162a61
SHA1 fd5db1b436dac19c3db91df860633a9548cab746
SHA256 3951a33f5c6c16bf0cb5a5f0541cb1d35850d9ed2b207ccae8c840a561a0243e
SHA512 91f156e12ef072c60a8a6e5b3e05bc503161045a8b10ec645fddc02a4ba2cb67b0c79cb75482cb4a9c340bc0bbe21cf179e8ec0e00865e0f53e2d5a9a900eba1

C:\fart.wav

MD5 e87a6a5fe2591cb8c7a88c0bd4cc8d3c
SHA1 75c4ca221b2f4782709f16230059bf8413de13b9
SHA256 840bbecc0e95ca503740df9ac0ac944303c4a4c5f163a3eb4d4aea329629371c
SHA512 2fce9c3827b0d16828175f8ac86029f615614ad0f147c95842113824d8177e2919cd0e09d67b9723396d259dea99e3b465b7a83972a8f1d344925cd8c14f0605

C:\Users\Admin\Desktop\Lock.SendOut.vsw

MD5 1a299ad32a81354a2fd0000dd34b3e21
SHA1 2371f59ab696174c2ff58da1fe7570ea9607dc39
SHA256 4c2ae6b4c8b76874d8be57699337a43acc2fea58c0fbe40a8ff8fc06e7c6a080
SHA512 dc1c4d62d2f9f448d10e5aeb4653e436a6ba6c1d425445b29fecb1a6eaca5507f4da4241fb3336f845a6eed741e59afbe0cd0e1b9dcd4c5ac5ca0803ae08658d

C:\Users\Admin\Desktop\Lock.ReadPush.wm

MD5 bc4e75784ce5d4485303e0020d9de669
SHA1 5d8ee0697625e1de377297fd2ebfe6526a28554f
SHA256 deb3abf561913b638186c7866c048726b7e734cdfe9b92c4e746cc5ebc9901a6
SHA512 a1710788555250e766caf9647197a4944c99633cbca4663db1265021ace45ab89f0035aee209c0eb34895ebb034b88b700ce0ee25b1a6c2613e7a13d2ff47b7f

C:\Users\Admin\Desktop\Lock.MoveConvertFrom.txt

MD5 1a5f5de467ed31681efe020fec483f64
SHA1 eb81a6ceb8296f452fc4b614947498faeca297ff
SHA256 f0db3382098ffc4a6f825a6ade735f8e662a1714037cc86de11b1d9534711c02
SHA512 b4f758297d9f36c140dafc2ed9e0b949af0dbc0b3f9adca2c93896c9b8673061fe09018737b4d1fc5a49c82c13e3e7241b8d154c52ed300c9174a7095900ba0e

C:\Users\Admin\Desktop\Lock.LimitAssert.lock

MD5 3166d2babb66439072abc46ee78cac52
SHA1 46165f8a0dc8635c73e97c2ade95980b6117e17e
SHA256 3b30650ef27bb258237cec04a35b118878d684e4b40dc18a8227456b5a5e5b5f
SHA512 d6209b09b82d092149fda670de9dcbb23dbe791abe4675e68a3fa6d36b80d132d353fb6d5aacc6ecd2fa8ca370ca265b38a756867eb86d6cec49257b22fb70d9

C:\Users\Admin\Desktop\Lock.JoinUndo.vb

MD5 658cc4b361f8e51eb9043105cf04f16a
SHA1 5ca1953dd00977142213dc691b12098faf0569e1
SHA256 b875531ec06a475f2f3dee8280764846b75f9d8ff0817ada31d187ed55f7cc2f
SHA512 1f2d180bc6164d0dc890f378ccfa7c424971565d0b689916e4556c61622b40006e3f8ef5ff57917472246508e9f84049aeea4f0528817a38c356b728b6d00293

C:\Users\Admin\Desktop\Lock.EnableInitialize.xsl

MD5 71c2156b854c3a0cc70053e69bb72705
SHA1 85a84b8e447a6f2ce4c22f130538273e239e2789
SHA256 c5a1bc2b2ff604c9c11576d38b0f49292fa2cbb7c275ca6143174c684a357587
SHA512 f985775bc2d32ba3823e7a3940f7cd62c677ce5ae0a5806cf257176f1037f88b4cdb823c43525a2f41f80abf226cb125094ef6ce12af0511324346fe08ee465b

C:\Users\Admin\Desktop\Lock.DisconnectAssert.ram

MD5 71b8cb26cd23db727ad4b4ad80c28c64
SHA1 eb311b663703f04913ed687e7107405e6b9d8a40
SHA256 07fcb3e23fec240dc80dc74903680dd39c23118dd13fe8ecd64394e24678fa76
SHA512 0993a3b84a47a4e00d6c75e0666d58cfb8483e140677f820d7736854f9ecac2f6118864662e6ea2b9a4451475f4d38b86164c5e8fdd12ac7ebb15df002ecb04b

C:\Users\Admin\Desktop\Lock.desktop.ini

MD5 ba41cfaa9aff58c3b40c7ac73b4d1cd4
SHA1 691f19d9330522a47b16c832c6d6b51a3a2efc72
SHA256 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a
SHA512 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e

C:\Users\Admin\Desktop\Lock.ConvertRestore.css

MD5 55729cd9b85a685c4104e1ae135ca97d
SHA1 e3495a49b10677e4c0382d37dc7eca11abac172f
SHA256 4f1d5da212d869fb1eeeb6f3119b8f959f0e494bf297fe539a165d324fadf38b
SHA512 3f29d49e71b27b4fdfd235eaf152a4ee66fe981e521cb062cd26aa1345e60cb2a30f4ec8b180dfe9a2f93621ddabbcb4b9e376ca2c171be008f8f76c17b31e6c

C:\Users\Admin\Desktop\Lock.BackupExpand.mpeg2

MD5 39e05d694e4c60fa5f771e33d651acff
SHA1 9ba8cdd1452100f6c3040ccf9a7055e4802ec6ea
SHA256 52e3bf5f4864d4e12e8cc6dadb8150157a17943668447dd7458359c1a4f95995
SHA512 402b4e0aa2dfbba6671e497116bedd77f40261efccbf7e311a0aa36cd759ffc2847a584bf6236bfdff4b234b8aa984956d627176dbbeb3524d7a8bfe050b4399

C:\dance1_icon.ico

MD5 323a72afe92a7ad2babaa513664de695
SHA1 463ed7dea34779bd7ad4c24259c1eddb3b9bdc22
SHA256 c03e1585cf48575272ab211b4f14e0dce6dad1584d482a2fefedb5e67f49dadf
SHA512 a109b61c2de9d57774265de6277b04da73c07ba24fd2e193483fdf18697d86b4f82759ce92725794d581b39ae2d74ba5a09283683e816f7020d537bf057d2ff0

C:\dance2_icon.ico

MD5 231d13891f890984ebf98d4e7494de15
SHA1 cd72772b0c89522bd313085821593e803fae4530
SHA256 c495ca6d7b6fd332b72e6976dcb57dd6ebdf7a4613525838a99ddb66243ff777
SHA512 9bb6221f2723aac8e3ced5641eecfe980c218dabb3d5bef600563b21e801940c4da225d9ff1fcd9af3ef171fc8862b1dc2374c022c0a8ea91474fc23bf5056ae

C:\dance3_icon.ico

MD5 e94910202e1439fac8c4c863461d3010
SHA1 777a653a6e3ca10f300bdd06f96ec860637fe01f
SHA256 2feaaf967c844f994ea982400a9a99ffa3475a955400581e674688068ba2b2ee
SHA512 8b16c230961ecde3350c1226a27b8133862dc4ac031d5e1e594365554f2f072737c86d4e1528b2d2ee4fa276f2b420c046bad2693bbf4864530b471e84615d3c

C:\dance4_icon.ico

MD5 368a0b24808f1ea2f7f81971ed3cb65d
SHA1 98ae25468021be6b52a7aaa16e3c696dd991244c
SHA256 c9fe480f87171c09c8b5d7b48dc04f7e805abcf73ed6fbe7cf52bcba605853a9
SHA512 f0b16c124b7c30056bd4441bf871cfc203475c0b1feb96d30867f77b825e6e53892b04ab958a701abfe4f84e850a16e92a7c048a918e851d638169797a80ef9e

C:\dance5_icon.ico

MD5 b458bda6ed6f8feb7c75684604ffeda1
SHA1 1430f75922b0e1952d97b949cf4a039a02879046
SHA256 dc9d9dbae58f0c4acf30a11b6f39d1ffdeb1b4ec930b7240bcdb6893866a2a04
SHA512 f4d7c5201a205836d74c4b35bdfaf4d9c8648effe6d721300d8b60e1ca4c19c5a100c82022e6d9b0274d8c249e253d236d7c14b238e4492990de8c395cc08da9