Analysis Overview
SHA256
2c37763ed709cb7866ca0571d60874990bf096e3aa430bc6f246aff84aa0ba51
Threat Level: Known bad
The file New Client.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
njRAT/Bladabindi
Process spawned unexpected child process
DcRat
DCRat payload
Disables RegEdit via registry modification
Modifies Installed Components in the registry
Disables Task Manager via registry modification
Executes dropped EXE
Drops startup file
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks whether UAC is enabled
AutoIT Executable
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Control Panel
Modifies data under HKEY_USERS
System policy modification
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
Kills process with taskkill
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 22:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 22:48
Reported
2024-06-17 22:52
Platform
win10-20240404-en
Max time kernel
217s
Max time network
218s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
njRAT/Bladabindi
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
Disables Task Manager via registry modification
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Windows\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Windows\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Windows\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| N/A | N/A | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." | C:\Windows\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." | C:\Windows\svchost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Internet Explorer\images\Idle.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Common Files\DESIGNER\cmd.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Common Files\DESIGNER\ebf1f9fa8afd6d | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Visualizations\services.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Visualizations\c5b4cb5e9653cc | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\ebf1f9fa8afd6d | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Program Files\Internet Explorer\images\6ccacd8608530f | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\DESIGNER\cmd.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\xina.exe | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
| File created | C:\Windows\rescache\_merged\2717123927\1590785016.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\RemotePackages\audiodg.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\diagnostics\system\Networking\it-IT\dllhost.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_mtconfig.inf.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_ba9db1b5baf3a450\dllhost.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\servicing\it-IT\sysmon.exe | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Local\Temp\New Client.exe | N/A |
| File created | C:\Windows\rescache\_merged\4032412167\4002656488.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| File created | C:\Windows\RemotePackages\42af1c969fbb7b | C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\Windows\svchost.exe | N/A |
| File created | C:\Windows\rescache\_merged\4272278488\2581520266.pri | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe | N/A |
| File opened for modification | C:\Windows\xina.exe | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065551368052" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fac000000000000002000000e80706004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000579ef6c308c1da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80706004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000007f57e9c308c1da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006772bf1b8a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\svchost.exe
C:\Windows\svchost.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
C:\Windows\svchost.exe
C:\Windows\svchost.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe
"C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe
"C:\Users\Admin\AppData\Local\Temp\9f88058988f0449ea67822f03ca4e710.exe"
C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe
"C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe"
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
C:\Users\Admin\AppData\Local\Temp\Locker.exe
"C:\Users\Admin\AppData\Local\Temp\Locker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\RemotePackages\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mobsyncm" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\mobsync.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mobsync" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\mobsync.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mobsyncm" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\535.21\mobsync.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 10 /tr "'C:\NVIDIA\DisplayDriver\NVIDIA Container.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA Container" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\NVIDIA Container.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NVIDIA ContainerN" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\NVIDIA Container.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Downloads\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\Idle.exe'" /rl HIGHEST /f
C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\34471632a4cb4fd6a6300a932e148197.mp4"
C:\Windows\svchost.exe
C:\Windows\svchost.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1e855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.112.102:19036 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 102.112.67.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watson.telemetry.microsoft.com | udp |
| US | 20.189.173.22:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 22.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | narzieo9.beget.tech | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3924-0-0x00007FFD2F955000-0x00007FFD2F956000-memory.dmp
memory/3924-1-0x000000001B800000-0x000000001BCCE000-memory.dmp
memory/3924-2-0x00007FFD2F6A0000-0x00007FFD30040000-memory.dmp
memory/3924-3-0x000000001C230000-0x000000001C25E000-memory.dmp
memory/3924-4-0x000000001C470000-0x000000001C516000-memory.dmp
memory/3924-5-0x00007FFD2F6A0000-0x00007FFD30040000-memory.dmp
C:\Windows\svchost.exe
| MD5 | b97e69b04ea6badd1ea0109ca99ca37a |
| SHA1 | b586b6cea648c2e182636a00c7a2a3b9cfd4df45 |
| SHA256 | 2c37763ed709cb7866ca0571d60874990bf096e3aa430bc6f246aff84aa0ba51 |
| SHA512 | 74db6ddbff35a640ece2e9f2ce2c2dbe385144f6c11c279e515138fc802a997bb42581bfa1f29313de656b15f757d946ab452f612153cace5143e9df3ebee6a5 |
memory/3924-17-0x00007FFD2F6A0000-0x00007FFD30040000-memory.dmp
memory/4500-21-0x000000001CB00000-0x000000001CB9C000-memory.dmp
memory/4500-22-0x0000000001740000-0x0000000001748000-memory.dmp
memory/4500-23-0x000000001E680000-0x000000001E6E2000-memory.dmp
memory/4500-24-0x000000001CBA0000-0x000000001CBB9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
| MD5 | 7f671d6d2e4532b72089ef8937aa0e3e |
| SHA1 | 469a4a15b5ea3f59e0d0daa03d3dc10d2959b234 |
| SHA256 | cd856e5705876d46f5e5a80f5ddbdba6b253232b5104302e5ee503fb6601d402 |
| SHA512 | 185f20728f2ab206866930d532cea568c07514eb8cedd33c77a84815e3148be7af75ab8a6f46b5d45324234c758bd4ffaf7a5174c8c6e5b00970aab7a78f43df |
C:\Users\Admin\AppData\Local\Temp\500d66313c4845b4b7c9c84ce04a3be8.exe
| MD5 | 80c506da3df5e4580c06c48162bccbea |
| SHA1 | 43fbccf50f91cd8e1190869b0edc96d920519c14 |
| SHA256 | 5699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb |
| SHA512 | f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5 |
memory/4028-36-0x00000000002D0000-0x0000000001694000-memory.dmp
C:\startup.exe
| MD5 | 12b162b0c010fcc23fa43b03cbb76509 |
| SHA1 | a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00 |
| SHA256 | 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180 |
| SHA512 | f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4 |
C:\backg.jpg
| MD5 | aa8212e3f48d35711f219cd9bf1265ab |
| SHA1 | a3b17cc5311f23cc2db204f5b7081cd7d170094d |
| SHA256 | ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200 |
| SHA512 | 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261 |
memory/1936-189-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/4740-191-0x00000261B6600000-0x00000261B6700000-memory.dmp
memory/4740-196-0x00000261B6A50000-0x00000261B6A70000-memory.dmp
memory/4740-214-0x00000261B6E00000-0x00000261B6E20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7d3c8a430b344f98b55b7aeb0388e05b.exe
| MD5 | 1849f89a807de47190139035f6148366 |
| SHA1 | 0e23f3cfc246483f5dd17815fea3d5011f6611c7 |
| SHA256 | 131c1efa923313555608e90d97f0a2d8fdf3fbe4695397278ca391009148f9ac |
| SHA512 | 49398d7a4f763caf39385945abbc3c028be655fa4d89f05b638708f2e1d790c94deee45e3fd14c7c34acba71c037f6d155514c69342a2257f1a21c084488d154 |
memory/3856-258-0x00000000008F0000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
| MD5 | 531bf67134a7c1fb4096113ca58cc648 |
| SHA1 | 99e0fc1fb7a07c0685e426b327921d3e6c34498c |
| SHA256 | 67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a |
| SHA512 | 8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4 |
C:\Users\Admin\AppData\Local\Temp\Locker.exe
| MD5 | a83185ef7c03bfe0e0fbe10098876a34 |
| SHA1 | b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d |
| SHA256 | 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be |
| SHA512 | 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c |
C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
| MD5 | d7df2670ad0c6c7b9cc48122f20f086c |
| SHA1 | e69bf8c214d8c4b768125ca03e402e1c871cc233 |
| SHA256 | d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b |
| SHA512 | 05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS2.jpg
| MD5 | cca27415b786d200913522217acf8522 |
| SHA1 | be4cb7f3d444f6a715a6868243810181fb1eb1de |
| SHA256 | 2f18ae84098647ccba038f6a3da82b03b1b43e1f035f4a6d583c63f10d0a40c7 |
| SHA512 | b9ead104aaac9da740cbd333fa7afc68148db77cfb56645d5793f91ce4e61d7e42a0f720698eb706efd2a8ee97b7189b8bbe26f6cb3a2470c2a5fdd88af4c3d7 |
C:\Users\Admin\Desktop\Lock.HideSkip.scf
| MD5 | 2fe435ff124a9c6f82e24632af0c5b12 |
| SHA1 | c7747bb56d65e2099af3494f3f77c3df2fbdfa41 |
| SHA256 | c0c40f9c127b6ebad57c172f849995174cb748b67bb4788d845e29f6ca0c9618 |
| SHA512 | 3387084c3ce424f31a536d9045a0e7e446a6f39bbce277f24dbc678ec55aa4a767d4b9aaedf9a044b93df1770810202918cc010003c26c4d177a794f1f35f7c6 |
C:\Users\Admin\Desktop\Lock.RequestSelect.cr2
| MD5 | 2c58f320d1cb126ac687b2f957bd79ec |
| SHA1 | 9f43467378dda9533ef4b63930c6ac6e256a9849 |
| SHA256 | 057bd3a42648c4b0e4502cc2c8161e39ab39a1cb739b50824c0509e2a2d65b94 |
| SHA512 | 5b8b09c197f3a9c21ffe876efecc7236ddc57194329d3071a660648d4d1f2570c4822e0f293606190c498998087355d794fde313db0ce0c843724c2ece6a276e |
C:\Users\Admin\Desktop\Lock.AddProtect.vsdx
| MD5 | c532dc062d92dd3eb971b62e33f48829 |
| SHA1 | e92241a8656a2ce6f2a5d84dd97c6d5c8843d20a |
| SHA256 | 9ec1f4d3687aea799a58bc5576e056f6214a9915bcdfbfdcceac0328b0ad1950 |
| SHA512 | f673f6678361d9b7be45bd44fa8e2b9c1986de54c768f2889336e0d81b79399353f2dee3293c979a5aed98b8a74ad628a37bcec5efd7be2aed4a2f8eaef28f13 |
C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
| MD5 | 7784d810f5ff3afa8df50e360eb90e7d |
| SHA1 | f04802a991ff6461aa1c35b7c0f68e43d5a114c6 |
| SHA256 | 0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0 |
| SHA512 | 80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac |
C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
| MD5 | 4a591f46c87b49a7de93f5ac771cd4ab |
| SHA1 | e0992350818e5c56d3f2e3a6db340d1f5b8f3314 |
| SHA256 | b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd |
| SHA512 | b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955 |
memory/5024-366-0x0000000000FC0000-0x000000000112A000-memory.dmp
C:\Users\Admin\Desktop\Lock.EditReset.xlsm
| MD5 | 2675616cb73e40186ce56f7efadc4331 |
| SHA1 | acb870eea9ad6b4b27e3c97d13247e815abb21be |
| SHA256 | 6b5be96f18c14f9871bb7f8b422def4902d80ab58fe9cd2652542bed413030eb |
| SHA512 | 3fc9fcb1fd70493c6c24a797eb7890f3f8c25016b297ec8b2d6a73bd1f8fbc12bd40a8f6cc7947e49b179a721b19630a39902e3982511b9ba6e95cbe00e023ce |
C:\Users\Admin\Desktop\Lock.ExpandClose.mov
| MD5 | 4d9b8ee0b2759c30ffbe9008253091db |
| SHA1 | c61d4d2ac4d19c3d61bdd6094d1536640fe03ed4 |
| SHA256 | 2f44ce0860b6456a461441d9ad08f0f0c53befe85d644269ec2015c8995c9cc5 |
| SHA512 | 660b1c46cf1122c4262140db501b2918cb82b818de16073841b8850adb3aad15b3e0761f4f7c8feab0586cd72de8ce350ed8976e2c86b9bd142bc519dfe29b13 |
memory/5024-377-0x0000000003220000-0x000000000323C000-memory.dmp
memory/5024-380-0x0000000003260000-0x0000000003270000-memory.dmp
memory/5024-383-0x000000001BC60000-0x000000001BC6E000-memory.dmp
C:\Users\Admin\Desktop\Lock.GroupReset.pptm
| MD5 | 15873049fc4517736583b610007b5bea |
| SHA1 | b7f603e86ccbe1721430be19521b940f3f13fe7a |
| SHA256 | 41901a30a34fcb0bb1e41f770c3426166a6ca3014e53da40fa06aa073f085633 |
| SHA512 | 78d5ccd90c5a786bd99b5ca68156f3449fda1b2414f7adfac6712f5efd111e2db0fe0049575e24e7e6f802ca4a2c53c28da166199713b5e7dc653d20bf0186e4 |
memory/5024-386-0x000000001BC70000-0x000000001BC7C000-memory.dmp
memory/5024-382-0x000000001BC50000-0x000000001BC5E000-memory.dmp
C:\Users\Admin\Desktop\Lock.HideConfirm.docm
| MD5 | 4cc29d69d0c48e32f9d2d563378b0670 |
| SHA1 | 66a7f2d8c4c4e79a1000d57ade420152fc80d908 |
| SHA256 | 5052865521225eb84891c07a65e3df20a3feeb1e88966ce94897c67018cd7eac |
| SHA512 | 135cd43102a4d85067e08e121017d49571138d4a19c026aa20b82e79665a11d342c8a0b90eaeb02f4a0c7c4bd492fcc1b39d311849f6e13059ca174703b2b4d6 |
memory/5024-379-0x0000000003240000-0x0000000003256000-memory.dmp
C:\Users\Admin\Desktop\Lock.InvokeConvertFrom.m4v
| MD5 | 58cf30eedc4918df754a6d6f9c4b8975 |
| SHA1 | 93d54a25e4dbde672eeaccdffe5174d091a39f8c |
| SHA256 | 09be51c41d2190b63aa949f91994d6b64364327ee4d15f912b1aa7db7738f61e |
| SHA512 | 88e3c8023dd0490a3bdb778a8d3054159b3dd294e9839fdef2603049dbd38cdaa7dc23084af9294856a4c16ed9aeccb40913aafb41e964948f5e10010dbb9395 |
memory/5024-378-0x000000001C2E0000-0x000000001C330000-memory.dmp
C:\Users\Admin\Desktop\Lock.ProtectImport.3g2
| MD5 | 3f2c02c8717225739f6a05388edc2cf5 |
| SHA1 | abb703c47eb19296ecf5a8c8565d3885ac83ea93 |
| SHA256 | 7dc5fac2c03895ed65df8cf833264df6e5c1ea1777626a81c6b834d10bdcf6de |
| SHA512 | 8b2f6981a7d2233fda06a33e2bedc8b83de126913cf25bf090c73bafb45289d8fb0e3768047d470f1240d98cbe5b45a78b11875d0f60d4e01591539577706b38 |
C:\Users\Admin\Desktop\Lock.ReceiveSend.vdx
| MD5 | 20a7d1004bb49a287d89b2ddc089d8f1 |
| SHA1 | 083560033c9418b00525b2555e6e9cfff984f036 |
| SHA256 | 1c90cfd667674cfe40bb87cbccc60f49dd3b59c4dc5c5f5cc974c352cd30524f |
| SHA512 | cd3be3af940026d6ff3f7c6a3e36ae549688ba6dba5eed7affa1f5851d09a1bd37d088674ee11e15c28644e13d9b391ecc990c510a7d7285b62babd77f796930 |
C:\Users\Admin\Desktop\Lock.RepairHide.docx
| MD5 | d2865a0af2a50f65920ddc461858ddb9 |
| SHA1 | 6c16784a6578747bc91684b111033291204b74e7 |
| SHA256 | 20c0cc7707af5a4f25449feca01f0d5e7ab262376980aa7731c8ff34f60dd95d |
| SHA512 | 80e3eb645db26ce0fedc9e2311ec6308e994a4474426866735218e29812a2f8f284405cf0858c4089138b34bc2f93484778214048cd56eedbe213c09d3f8d068 |
C:\Users\Admin\Desktop\Lock.RepairGroup.docm
| MD5 | 931874d283b0f45bf6cf09534137afef |
| SHA1 | 5b852a470618a65fb6ce02f243e666aa4d346309 |
| SHA256 | bf509b82aab60e0b5665135283c470c7feda7031df2f15dcde04789129530dfc |
| SHA512 | 022db68a101fefd8ce9b79b61da0909a745201f7c3a95c3d747d658aeb9d3858b9aca97573232d0d24db28d4d41161ea6b21a9c631f9f54217d967f125137f2e |
C:\Users\Admin\Desktop\Lock.StartInstall.vdw
| MD5 | ac46202fb503cdb9a545d0b00a49d0c7 |
| SHA1 | 45cb5cf1feebfd590efae770cac284131f08d432 |
| SHA256 | b641f7ada1219913f254912a929be3e018639c48a84b68c85c941466edd0141c |
| SHA512 | 95f19a49830850af60b54502ac2830fe125c7f651de2e258a1e3598bc2dc4500b0e3664d9070f5f83b82b96e51d0ae9e951fd7e0b7a6b6f3dce667fe626c4b3c |
C:\Users\Admin\AppData\Local\Temp\aut9EB7.tmp
| MD5 | 7c30424c525cb64760083e066ca1f77d |
| SHA1 | 69c369028e3db4fe5c2fbc69cbd837d66496c480 |
| SHA256 | b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643 |
| SHA512 | 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
| MD5 | 07633ba66f1d47a46791dd4e31dc205f |
| SHA1 | 5a6096eb2122cd089dd5c2c20d02079631e074d7 |
| SHA256 | cbd11c45f80a45a7219c0590b04185250e1a9b898d9b905837808855c785431b |
| SHA512 | fbb026281e5bb96ac2615747a9d8e942fe73e01f5390b4f43aad425beeb854957691e9b90c2068d6e99b2d6189c5637e4ecb05791f1017580f2af1fb08283505 |
C:\Users\Admin\AppData\Local\Temp\34471632a4cb4fd6a6300a932e148197.mp4
| MD5 | e8653029eedb0e8e72a610d15c77907c |
| SHA1 | 1eb9f618ef3d2f2711e166721d3f5047313073e5 |
| SHA256 | 9c066096d1c6c277bb85c2c1e2f1371a964ff544b8187658cd35a79544f30c1b |
| SHA512 | 6665da01a2b1923c0064856f60d99114dfe266a2660cd749da195d19b42b8e2e2c93232b548029e725b09d5657bb6c3a609b806086d522751e185f3925ddb915 |
memory/3444-545-0x00007FFD450C0000-0x00007FFD450F4000-memory.dmp
memory/3444-544-0x00007FF62A0B0000-0x00007FF62A1A8000-memory.dmp
memory/3444-546-0x00007FFD28E90000-0x00007FFD29146000-memory.dmp
memory/3444-554-0x00007FFD32530000-0x00007FFD3273B000-memory.dmp
memory/3444-553-0x00007FFD44330000-0x00007FFD44341000-memory.dmp
memory/3444-552-0x00007FFD45020000-0x00007FFD4503D000-memory.dmp
memory/3444-551-0x00007FFD45040000-0x00007FFD45051000-memory.dmp
memory/3444-550-0x00007FFD45060000-0x00007FFD45077000-memory.dmp
memory/3444-549-0x00007FFD45080000-0x00007FFD45091000-memory.dmp
memory/3444-548-0x00007FFD450A0000-0x00007FFD450B7000-memory.dmp
memory/3444-547-0x00007FFD45130000-0x00007FFD45148000-memory.dmp
memory/3444-565-0x00007FFD33260000-0x00007FFD3327B000-memory.dmp
memory/3444-564-0x00007FFD34D80000-0x00007FFD34D91000-memory.dmp
memory/3444-563-0x00007FFD35B90000-0x00007FFD35BA1000-memory.dmp
memory/3444-562-0x00007FFD36CC0000-0x00007FFD36CD1000-memory.dmp
memory/3444-555-0x00007FFD24090000-0x00007FFD25140000-memory.dmp
memory/3444-561-0x00007FFD3CBE0000-0x00007FFD3CBF8000-memory.dmp
memory/3444-560-0x00007FFD44300000-0x00007FFD44321000-memory.dmp
memory/3444-559-0x00007FFD33280000-0x00007FFD332C1000-memory.dmp
memory/3444-598-0x00007FFD28E90000-0x00007FFD29146000-memory.dmp
memory/3444-607-0x00007FFD24090000-0x00007FFD25140000-memory.dmp
C:\avocado_icon.ico
| MD5 | 6d362a3e515cc18d537f74fca1f75293 |
| SHA1 | 99a5b363ac274e027530fa7a532a007b0e6c56f3 |
| SHA256 | c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42 |
| SHA512 | 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821 |
C:\skream_icon.ico
| MD5 | 21a8888b16b257c094fd38d09612fc48 |
| SHA1 | 9ce7e89da63c663987c9624a845144a4fecc3e72 |
| SHA256 | e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4 |
| SHA512 | cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2 |
C:\ben_icon.ico
| MD5 | 35ed09899d21d2f9806e5c4eb1411324 |
| SHA1 | 5afa7972868a84f4e49d65f149aa09dda07870d2 |
| SHA256 | 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3 |
| SHA512 | 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820 |
C:\whenimpostaissus_icon.ico
| MD5 | 57a21de76111fd67dd32bbf5b8cbbe8f |
| SHA1 | 127d6c20da0234ac8bc9dd65391fcfd695185274 |
| SHA256 | 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f |
| SHA512 | 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629 |
C:\speedrunner_icon.ico
| MD5 | a0bd05bdf6641d55fff217fc45b6e7a4 |
| SHA1 | 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3 |
| SHA256 | c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2 |
| SHA512 | bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3 |
C:\xina_icon.ico
| MD5 | 0f111a8457f17592240624b2e80a6c61 |
| SHA1 | 23b009e988c3a95d9e8ac97e9baf2979dda3211d |
| SHA256 | 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f |
| SHA512 | 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe |
C:\theme.wav
| MD5 | e4f642067670a4001d31ffb18f481f96 |
| SHA1 | 538336f1beed8f74a0913454265cbcce4822c4e4 |
| SHA256 | 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960 |
| SHA512 | 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c |
C:\the_wok_icon.ico
| MD5 | 8e1462f2d993e1bd6fd00268623abece |
| SHA1 | 67367e20f64d32ab8d1840dedd91d686ac989952 |
| SHA256 | ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5 |
| SHA512 | 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace |
C:\ustupid_icon.ico
| MD5 | 6e3e6e1a0f01c0168c7b1fcb4e63a89d |
| SHA1 | 785688b7caa8f28583e417a651517b721405d835 |
| SHA256 | b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634 |
| SHA512 | d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99 |
C:\guy_icon.ico
| MD5 | caf2b6d49aae9303b222fdd06b91f10a |
| SHA1 | 12b967bd3aafa465c228551a7cb2d70f8b9f972e |
| SHA256 | 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8 |
| SHA512 | 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d |
C:\rock_eyebrow_icon.ico
| MD5 | 56afb11ebd7367af4c03b065ef3580f3 |
| SHA1 | 4f30fbf3d5c0469533c1b33b98aa612e6704c14b |
| SHA256 | da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7 |
| SHA512 | eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4 |
C:\walt_icon.ico
| MD5 | fa516d1d0fce7db4dfa81e73cf74e917 |
| SHA1 | ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0 |
| SHA256 | 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af |
| SHA512 | f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f |
C:\obama_icon.ico
| MD5 | f89f675153effeea979e32716d1dcac8 |
| SHA1 | 84780277f79505ccf920d13391726741e127a79d |
| SHA256 | 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7 |
| SHA512 | 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff |
C:\bom.wav
| MD5 | 1c782f17124b6eea9619acc46fc165a4 |
| SHA1 | aa22fe4a52723cf2ec83af3b478531c83ac1c589 |
| SHA256 | 9f1c04f4d37d995f9f6cdb7751be399468c275f91c35f30bdb45ff9ff31190eb |
| SHA512 | 2b63129054cffd9037963f9e42c46c489e697f81109f8465c9cf3915894f143ffa444e9fb1bef195111ea915f36b51f08246b5ddc7ae5763d056bd0c8b0a7921 |
C:\dad_icon.ico
| MD5 | 8883262af502c220932bbc50979391ca |
| SHA1 | 0be9ff95e86e798493f5f067a6dd3ddec9ed6832 |
| SHA256 | f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6 |
| SHA512 | ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076 |
memory/3444-739-0x00007FFD24090000-0x00007FFD25140000-memory.dmp
C:\Users\Admin\Desktop\Lock.ConvertToEdit.wax
| MD5 | 1e452a44ba9b4ad84a69dfc66eb9a711 |
| SHA1 | 1fb3d299cc0f1f2563b6105ebbd76fa8dc4e8823 |
| SHA256 | 91f04d2726d93a61248df4e402ef2b10840ceb46668afe87c9b37fb1452db9fd |
| SHA512 | 62942d3d73db333e136fbf16c604ecfcdd39e6757364c4003cd2631278a5dd2d899259b5e56528fab4d872d3bc95c4b1151b1c0e894f6b713e71ef6248d17e26 |
C:\Users\Admin\Desktop\Lock.FindRestart.rtf
| MD5 | ba374f16fcaa0efad37a2ad71c3ff179 |
| SHA1 | 9847f62f87812c43bb00cc23688d68414296d30f |
| SHA256 | 9ea5ba86d7b082e291474a496e8f7186b356d535be0eb75294ea05fb84688786 |
| SHA512 | 788924f49a58983453eef5e5817f04681f57f1cf37f29bead4e1c21247504c6d24f5b29ab4340bf9519ed12a2f1bada0175b993c7acb1c1383348337ab519012 |
C:\Users\Admin\Desktop\Lock.NewSearch.rar
| MD5 | 2b5fde6fc8d15d6b216055f659b815a6 |
| SHA1 | 829a6189b04593e0a06e9af1acc1aeb2e7b88fd8 |
| SHA256 | f58889910b4e3fc77a2314d0f768d77240af1b394fc10f48d536252f9d540818 |
| SHA512 | 47b9d026a5507865eaf9a6d66eca0bc8abbdf5faf02f47105a28aa35e3fe502b64cd1f9a49906fd5b583fa7aca5e7d079958fbbff69d9d10df218f60f08ad446 |
C:\Users\Admin\Documents\Lock.DisableReceive.pptm
| MD5 | e21a5734c54b4ac790e8a1d657cfce3a |
| SHA1 | bafe6413eec5153958a3b830ef65df74a0a95da2 |
| SHA256 | 484141416943c3975550995b63eb326767d471e82b0063827d83ff291de06e43 |
| SHA512 | 68721eeebeaeb7be63df1cca7da892aa83c4385f5b3a43cb40a137c0a0ff65aca2e95b03425999c492d45447fedef7305bb64de6c437bd0246815066eebe4f3c |
C:\Users\Admin\Documents\Lock.desktop.ini
| MD5 | 7835655816219d921dffbdb312396000 |
| SHA1 | bee4392a2a21f1faff64510296ed6d29d5ba6e7a |
| SHA256 | 4ef42b28c2d34762c16b1b31beae549b7a01c891ecf402fe5fe84b79f12afce5 |
| SHA512 | cbaa8c16f5d04486bcc0d29a5d03dfd6443a5b950f4011f0a274ceee82fc5f1d57101fefef8abfbe072140856af2c8246287625a5f3d7575ee798024c0accdf0 |
C:\amogus_icon.ico
| MD5 | 43042269818924374a29891d79cb676b |
| SHA1 | f34ef8a688e15efa9c0117816a617892a2730bb8 |
| SHA256 | 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187 |
| SHA512 | 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31 |
C:\Users\Admin\Documents\Lock.ConvertToMerge.vsdm
| MD5 | b7817276b37a482e085c05595c6b5caf |
| SHA1 | fcb810dbafecf803b27526d076311228c8484b63 |
| SHA256 | d9388119bb097edbaa0da9b71f52456113eb285617cf359e5f7c74aae891851c |
| SHA512 | be5569c08dff4fa71de354709e43b63dbcb5b70e5f17767b03e9eb5babd724c3b7c852af8e3b595427b954c65b77356d979d9ffac77662d48fa9e7ede627c61a |
C:\Users\Admin\Documents\Lock.ConvertPing.vst
| MD5 | f51cf9d4fab6eef74dc35da703261d00 |
| SHA1 | 0b98c40b3c294eb8afc340a784fdeea98153767d |
| SHA256 | 399236c1e5a3baa00dbeed438df8dc86ad0a9711dfd3bb2e9dd8064fd113ae74 |
| SHA512 | 5536b4c6148ccd718aa269b17e0141ffd984f7819fc8248f26656ab77cd6a5cda9dbda060251eb5745ba6e653cffe6cb11f8f558b9d8455c156fde06e9898cb3 |
C:\Users\Admin\Documents\Lock.ConvertFromCopy.wps
| MD5 | b7e7d6250d75494900f8fd423d251685 |
| SHA1 | 72e920935362eed1ecb4ec49823ac1bb0824e0f0 |
| SHA256 | 79d80a290c37bc5499e7edfa4fed87557d70d0dbb2f9d6936941d2cf56475b8a |
| SHA512 | 129dcf313f9611fa844033a4c2f88fd27d1a3397cc65871ac25c6d6a7ace9992132d8d18db9fe6fca075dac64cf1a2a419ae73cc21bc339668ab47a157ea5d8e |
C:\Users\Admin\Documents\Lock.ConfirmRegister.pub
| MD5 | f08289e66fa6a11d4e2b4c066e69ec98 |
| SHA1 | ae00597c07f18bc66ec5ef6b7e12b2e5dbd87ce0 |
| SHA256 | 1891bec793ec502481278abea827e397d72d1c0fc7f9e34cf920cb7db49cbcc7 |
| SHA512 | 7068069bb86b796cf5b701f7aff041a6ce0595a4a23c2fadb3d9e027cd9d1975ec4668af777183f00fcd4ffda4b9a17ea217239f49fa489d2fbab8ff4a123073 |
C:\Users\Admin\Documents\Lock.ConfirmApprove.docx
| MD5 | 2a1bbfbc3de63cf35279e4623503a4df |
| SHA1 | e273699e3151cdbf203afb5a88e9c93fa9cd627c |
| SHA256 | 864aa7af02cc2645469a9affc6bb4d377c5d06dd3c14bb83b14716994dd08257 |
| SHA512 | dce95f8c373ddabd57d832296d1629e888f1fe141d473d683e24df4127ff0732c31b21705184d52ad731761c6ecaaa2a578b13df741e7c9d06a6ad62ee628d07 |
C:\Users\Admin\Documents\Lock.CompleteRevoke.vsx
| MD5 | bb35d7dab34b812618c837ffbb2cb684 |
| SHA1 | 556e47cfde88f3eb76a1fb8232d87936d5c6c6ab |
| SHA256 | 6e066c04cd5348abebddc619e47ee02cb378ef32eeb8ff00609081bced57da16 |
| SHA512 | d16ab37689cba81955091ebc3f285e68e9bc4d64283aeb7b8db7ca9d7e17b2314130e51b778c71fb964fc28361ef91053dc9e042c4af99537d0609db3560538b |
C:\Users\Admin\Documents\Lock.CloseRename.odt
| MD5 | 04d40a37ce305c670b9fe3a7ae715703 |
| SHA1 | d24a34754b927de4fa29af5bee066a7258223208 |
| SHA256 | 02d57d340ac868ce4ba0a4a343362e6ce96e304b2fb7ad978c468bef5625f05e |
| SHA512 | 4bef0f9938ebc69de49f26b8166b781cbf08fe17b5765b0dec5e208ab29a4c12bcad33e973c1654686e0252a0640e835078ea8ab0bc15248c748965c9e0daac9 |
C:\Users\Admin\Documents\Lock.CloseCompress.xlt
| MD5 | e752200f3a47325ff48bdad91cf7b960 |
| SHA1 | 739d0bdcf4f4c3d90db1ba13f6b4d54008ebfe27 |
| SHA256 | 4b557de62fd441cb662b6ed046075f1a962b9c3e3c76c774ba73e3a99d21b51c |
| SHA512 | d99ff4dfc597cedae4d29bd9a2b07106f7d85df27a8acb006e19df59715ff2fcfa8c022d7fcbea7a7908e8267153aed9abe057fc595a5b20bf3d975baca8d8fb |
C:\Users\Admin\Documents\Lock.Are.docx
| MD5 | 4d3e6bbe44de5513c1733b3e0c6eac64 |
| SHA1 | cd3a00fc52b12f900bd4a87482d28021e2787265 |
| SHA256 | ce28015b2b93deed2c7569c325e811aa9a0eef29070ae6f73e59dbdee7009fc8 |
| SHA512 | 11c128b5a2dfc97a57c5cb49ad31841179344bd3179db15c71f0a3bf11cb61101d1bbc2e125baa8532f383360198c7843d01e8dd63c3b2340d77351db8ad419d |
C:\Users\Admin\Documents\Lock.ApproveInstall.vstm
| MD5 | 3273525dad0ee4359cec07d88238dce1 |
| SHA1 | 44b6807b74d7d6325f454b74687f48c1e41f30d1 |
| SHA256 | 6a130b27d6d702ab41822dfd475fc8aa9c0bc0bc19c2c22d873cb749e2dd2e80 |
| SHA512 | 428f0db57a20896fef50a026ddc2f3c9d236ca41db353fec564fad9924c0c2a1360110bad678ec348d055287d76a5e8b109996f2e6a2e084d99dbf93725910e3 |
C:\Users\Admin\Desktop\Lock.StepPush.ods
| MD5 | 6c2ec6cf36bdf86ddeeb616094162a61 |
| SHA1 | fd5db1b436dac19c3db91df860633a9548cab746 |
| SHA256 | 3951a33f5c6c16bf0cb5a5f0541cb1d35850d9ed2b207ccae8c840a561a0243e |
| SHA512 | 91f156e12ef072c60a8a6e5b3e05bc503161045a8b10ec645fddc02a4ba2cb67b0c79cb75482cb4a9c340bc0bbe21cf179e8ec0e00865e0f53e2d5a9a900eba1 |
C:\fart.wav
| MD5 | e87a6a5fe2591cb8c7a88c0bd4cc8d3c |
| SHA1 | 75c4ca221b2f4782709f16230059bf8413de13b9 |
| SHA256 | 840bbecc0e95ca503740df9ac0ac944303c4a4c5f163a3eb4d4aea329629371c |
| SHA512 | 2fce9c3827b0d16828175f8ac86029f615614ad0f147c95842113824d8177e2919cd0e09d67b9723396d259dea99e3b465b7a83972a8f1d344925cd8c14f0605 |
C:\Users\Admin\Desktop\Lock.SendOut.vsw
| MD5 | 1a299ad32a81354a2fd0000dd34b3e21 |
| SHA1 | 2371f59ab696174c2ff58da1fe7570ea9607dc39 |
| SHA256 | 4c2ae6b4c8b76874d8be57699337a43acc2fea58c0fbe40a8ff8fc06e7c6a080 |
| SHA512 | dc1c4d62d2f9f448d10e5aeb4653e436a6ba6c1d425445b29fecb1a6eaca5507f4da4241fb3336f845a6eed741e59afbe0cd0e1b9dcd4c5ac5ca0803ae08658d |
C:\Users\Admin\Desktop\Lock.ReadPush.wm
| MD5 | bc4e75784ce5d4485303e0020d9de669 |
| SHA1 | 5d8ee0697625e1de377297fd2ebfe6526a28554f |
| SHA256 | deb3abf561913b638186c7866c048726b7e734cdfe9b92c4e746cc5ebc9901a6 |
| SHA512 | a1710788555250e766caf9647197a4944c99633cbca4663db1265021ace45ab89f0035aee209c0eb34895ebb034b88b700ce0ee25b1a6c2613e7a13d2ff47b7f |
C:\Users\Admin\Desktop\Lock.MoveConvertFrom.txt
| MD5 | 1a5f5de467ed31681efe020fec483f64 |
| SHA1 | eb81a6ceb8296f452fc4b614947498faeca297ff |
| SHA256 | f0db3382098ffc4a6f825a6ade735f8e662a1714037cc86de11b1d9534711c02 |
| SHA512 | b4f758297d9f36c140dafc2ed9e0b949af0dbc0b3f9adca2c93896c9b8673061fe09018737b4d1fc5a49c82c13e3e7241b8d154c52ed300c9174a7095900ba0e |
C:\Users\Admin\Desktop\Lock.LimitAssert.lock
| MD5 | 3166d2babb66439072abc46ee78cac52 |
| SHA1 | 46165f8a0dc8635c73e97c2ade95980b6117e17e |
| SHA256 | 3b30650ef27bb258237cec04a35b118878d684e4b40dc18a8227456b5a5e5b5f |
| SHA512 | d6209b09b82d092149fda670de9dcbb23dbe791abe4675e68a3fa6d36b80d132d353fb6d5aacc6ecd2fa8ca370ca265b38a756867eb86d6cec49257b22fb70d9 |
C:\Users\Admin\Desktop\Lock.JoinUndo.vb
| MD5 | 658cc4b361f8e51eb9043105cf04f16a |
| SHA1 | 5ca1953dd00977142213dc691b12098faf0569e1 |
| SHA256 | b875531ec06a475f2f3dee8280764846b75f9d8ff0817ada31d187ed55f7cc2f |
| SHA512 | 1f2d180bc6164d0dc890f378ccfa7c424971565d0b689916e4556c61622b40006e3f8ef5ff57917472246508e9f84049aeea4f0528817a38c356b728b6d00293 |
C:\Users\Admin\Desktop\Lock.EnableInitialize.xsl
| MD5 | 71c2156b854c3a0cc70053e69bb72705 |
| SHA1 | 85a84b8e447a6f2ce4c22f130538273e239e2789 |
| SHA256 | c5a1bc2b2ff604c9c11576d38b0f49292fa2cbb7c275ca6143174c684a357587 |
| SHA512 | f985775bc2d32ba3823e7a3940f7cd62c677ce5ae0a5806cf257176f1037f88b4cdb823c43525a2f41f80abf226cb125094ef6ce12af0511324346fe08ee465b |
C:\Users\Admin\Desktop\Lock.DisconnectAssert.ram
| MD5 | 71b8cb26cd23db727ad4b4ad80c28c64 |
| SHA1 | eb311b663703f04913ed687e7107405e6b9d8a40 |
| SHA256 | 07fcb3e23fec240dc80dc74903680dd39c23118dd13fe8ecd64394e24678fa76 |
| SHA512 | 0993a3b84a47a4e00d6c75e0666d58cfb8483e140677f820d7736854f9ecac2f6118864662e6ea2b9a4451475f4d38b86164c5e8fdd12ac7ebb15df002ecb04b |
C:\Users\Admin\Desktop\Lock.desktop.ini
| MD5 | ba41cfaa9aff58c3b40c7ac73b4d1cd4 |
| SHA1 | 691f19d9330522a47b16c832c6d6b51a3a2efc72 |
| SHA256 | 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a |
| SHA512 | 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e |
C:\Users\Admin\Desktop\Lock.ConvertRestore.css
| MD5 | 55729cd9b85a685c4104e1ae135ca97d |
| SHA1 | e3495a49b10677e4c0382d37dc7eca11abac172f |
| SHA256 | 4f1d5da212d869fb1eeeb6f3119b8f959f0e494bf297fe539a165d324fadf38b |
| SHA512 | 3f29d49e71b27b4fdfd235eaf152a4ee66fe981e521cb062cd26aa1345e60cb2a30f4ec8b180dfe9a2f93621ddabbcb4b9e376ca2c171be008f8f76c17b31e6c |
C:\Users\Admin\Desktop\Lock.BackupExpand.mpeg2
| MD5 | 39e05d694e4c60fa5f771e33d651acff |
| SHA1 | 9ba8cdd1452100f6c3040ccf9a7055e4802ec6ea |
| SHA256 | 52e3bf5f4864d4e12e8cc6dadb8150157a17943668447dd7458359c1a4f95995 |
| SHA512 | 402b4e0aa2dfbba6671e497116bedd77f40261efccbf7e311a0aa36cd759ffc2847a584bf6236bfdff4b234b8aa984956d627176dbbeb3524d7a8bfe050b4399 |
C:\dance1_icon.ico
| MD5 | 323a72afe92a7ad2babaa513664de695 |
| SHA1 | 463ed7dea34779bd7ad4c24259c1eddb3b9bdc22 |
| SHA256 | c03e1585cf48575272ab211b4f14e0dce6dad1584d482a2fefedb5e67f49dadf |
| SHA512 | a109b61c2de9d57774265de6277b04da73c07ba24fd2e193483fdf18697d86b4f82759ce92725794d581b39ae2d74ba5a09283683e816f7020d537bf057d2ff0 |
C:\dance2_icon.ico
| MD5 | 231d13891f890984ebf98d4e7494de15 |
| SHA1 | cd72772b0c89522bd313085821593e803fae4530 |
| SHA256 | c495ca6d7b6fd332b72e6976dcb57dd6ebdf7a4613525838a99ddb66243ff777 |
| SHA512 | 9bb6221f2723aac8e3ced5641eecfe980c218dabb3d5bef600563b21e801940c4da225d9ff1fcd9af3ef171fc8862b1dc2374c022c0a8ea91474fc23bf5056ae |
C:\dance3_icon.ico
| MD5 | e94910202e1439fac8c4c863461d3010 |
| SHA1 | 777a653a6e3ca10f300bdd06f96ec860637fe01f |
| SHA256 | 2feaaf967c844f994ea982400a9a99ffa3475a955400581e674688068ba2b2ee |
| SHA512 | 8b16c230961ecde3350c1226a27b8133862dc4ac031d5e1e594365554f2f072737c86d4e1528b2d2ee4fa276f2b420c046bad2693bbf4864530b471e84615d3c |
C:\dance4_icon.ico
| MD5 | 368a0b24808f1ea2f7f81971ed3cb65d |
| SHA1 | 98ae25468021be6b52a7aaa16e3c696dd991244c |
| SHA256 | c9fe480f87171c09c8b5d7b48dc04f7e805abcf73ed6fbe7cf52bcba605853a9 |
| SHA512 | f0b16c124b7c30056bd4441bf871cfc203475c0b1feb96d30867f77b825e6e53892b04ab958a701abfe4f84e850a16e92a7c048a918e851d638169797a80ef9e |
C:\dance5_icon.ico
| MD5 | b458bda6ed6f8feb7c75684604ffeda1 |
| SHA1 | 1430f75922b0e1952d97b949cf4a039a02879046 |
| SHA256 | dc9d9dbae58f0c4acf30a11b6f39d1ffdeb1b4ec930b7240bcdb6893866a2a04 |
| SHA512 | f4d7c5201a205836d74c4b35bdfaf4d9c8648effe6d721300d8b60e1ca4c19c5a100c82022e6d9b0274d8c249e253d236d7c14b238e4492990de8c395cc08da9 |