Analysis Overview
SHA256
6c37b3d7cba096ed83d54a1c31ca265f79567e4b4b9339d1f07b18b5013182d3
Threat Level: Known bad
The file Launcher.exe was found to be: Known bad.
Malicious Activity Summary
Umbral
Umbral family
Detect Umbral payload
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Runs ping.exe
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 20:36
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 20:36
Reported
2024-06-27 20:37
Platform
win10v2004-20240508-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
Files
memory/2208-0-0x0000028D4EFC0000-0x0000028D4F042000-memory.dmp
memory/2208-1-0x00007FF8E4853000-0x00007FF8E4855000-memory.dmp
memory/2208-2-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/224-10-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyr535uh.0fi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/224-9-0x0000029154930000-0x0000029154952000-memory.dmp
memory/224-14-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/224-15-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/224-18-0x000002916CEA0000-0x000002916D0BC000-memory.dmp
memory/224-19-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/3108-32-0x0000024DF9C90000-0x0000024DF9EAC000-memory.dmp
memory/2208-35-0x0000028D69790000-0x0000028D69806000-memory.dmp
memory/2208-36-0x0000028D69710000-0x0000028D69760000-memory.dmp
memory/2208-37-0x0000028D69760000-0x0000028D6977E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 966914e2e771de7a4a57a95b6ecfa8a9 |
| SHA1 | 7a32282fd51dd032967ed4d9a40cc57e265aeff2 |
| SHA256 | 98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba |
| SHA512 | dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/2348-72-0x0000022E37CB0000-0x0000022E37ECC000-memory.dmp
memory/2208-74-0x0000028D695D0000-0x0000028D695DA000-memory.dmp
memory/2208-75-0x0000028D69810000-0x0000028D69822000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 063fa26d779f114734bd9130125608c3 |
| SHA1 | 3a1b8fb1a319f6c40a71b117d6b07106d2a53857 |
| SHA256 | e8f8cb3e295999c4b311836d5fe1213b4721d56ab14af3eacd1bcdd051b5a66b |
| SHA512 | fbe868cad1196fa3630581f269e8c512af1ed7b1d1e5708c369ed28810d37e48301370f19260657f47a560165113d28437741db39b91aaff69776143598b4391 |
memory/2208-93-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
C:\Users\Admin\Desktop\AddBlock.temp
| MD5 | 487bda336f191b9b6d7144faaf234ff6 |
| SHA1 | 558a5b2331c4535ab1151d8fb2270215b52f488a |
| SHA256 | c1c60be5a206882881b9435f20347e3759cd81d06566a3c992a63b31f75582af |
| SHA512 | 4b5492e9b251c9dc7b0a65aeac9c5e47cdf0a8a1f029ecabf56b1c782f482edb95317d5118cfb55c8c0405fe22874bd757fde2c3370d20fbdb8bb6bb4dd13843 |
C:\Users\Admin\Desktop\AssertWait.clr
| MD5 | 3caf4d254a9392151933261ca0e2bca6 |
| SHA1 | 75f67d85657d000c727caee9823ffea0ea9a4b8b |
| SHA256 | 756442a6ec888149a6f790207a8711647709cdd2f55b155fa15c2379a56a7025 |
| SHA512 | 8e409c71bfa9ac85e882daf5615cf01087122c0236a8449d41595a4ae9a2db92e295c746fd6328cd15b70fab1f15536e9ee498e53b3bf6ee057d6916cb09e0fb |
C:\Users\Admin\Desktop\CloseStart.easmx
| MD5 | ee0dd5f771ea3540d8e7e29f3aefd252 |
| SHA1 | 246135950ffd38c71f83bf51500f77eed7491560 |
| SHA256 | 50c8966d2943029f4f10bbf701030d17b1d85ff7e5d52edfdd63b6e819d99d7a |
| SHA512 | 85d395d3c2965606a5aa5a635e8027ecb957281e3d1302d570b5fcdb37c9f86c5a1cde2826e431675e91c4f6565df8a24993b3c41939bdbf14f9ca73861bf7cb |
C:\Users\Admin\Desktop\CompleteSubmit.vbe
| MD5 | 1f5e2976691a2d1596a5fab01a3655bb |
| SHA1 | 254e2d1fe67d6d140b74b1e38f6b5f7188e2ac71 |
| SHA256 | 465dc53a5222b33c8936ddab9cf4462cebb7055192a567979dd78d6addbfb422 |
| SHA512 | f71a2dc4e0efa03ab5e982e60829910227a16fafeac854383b586104ac0b985aca7e5b8b93e0ad23776302ecaf182c80610b96ad3244a57fa1fdeabd5eab4fc0 |
C:\Users\Admin\Desktop\CompressRegister.wma
| MD5 | 4b8bfe525237daf380f8cf0ed6db589d |
| SHA1 | 347d0ff9aef45c538ecb443af394856618ad5d06 |
| SHA256 | c56e6d51cc91067b802d672ca344d326bcc502424a0d3d4926fd1fc712b6674e |
| SHA512 | f01bfd965f616a17ac2fe98aa4b4ab683977327a1ebd6bc4cc74507509868fede7c04895dfd70ccf7650657babfc956315b230585680ac66afe6c9144a2f0277 |
C:\Users\Admin\Desktop\ConfirmSearch.mp3
| MD5 | 32fcd5503d559887734f7b5405bb7818 |
| SHA1 | cb9634ce49a9c637a1def7a2e567a64a4bca714f |
| SHA256 | 60311e8f0d71c46b41aae9427f8b9773beaef1d6988f67c72a05cab385360ce5 |
| SHA512 | 8204dd6bf94fe1c7495ba65936978dd0afd51c06da224ea9ac9c29cda7c8297bad50fd27972644b429b017d55361a47fc0a721730771874035bba7e27b116477 |
C:\Users\Admin\Desktop\ConvertJoin.m3u
| MD5 | 66d96a727f71597b91a3efb63c260ccf |
| SHA1 | 132e6dd8cfe72c66ed117ed2297f80ad5b09e53e |
| SHA256 | 81023bd8566a95c5e85cd05ceed0630e654c843dd6c54d6824e2035b8c845ab0 |
| SHA512 | 3f6df4cfd8e55cfe2107f53667484373d6c0adc0454d132e96b1f2f697383249233a4f8281282a0d012ddb9bc7d4e9f3fdded49028d2ee9ddb29bc5144e62c1f |
C:\Users\Admin\Desktop\ExportBlock.7z
| MD5 | 8cb09678365e303c3b959836163e0cdd |
| SHA1 | c1f75e28a722c3cd10edcad93c8e613a014515b5 |
| SHA256 | 3fee90cda23e7415d18a3dc6a9eeb4cf6dbf7ae4ceed6e41d140f54d2a0fce07 |
| SHA512 | c93425576b95bb49f1466b832881a8511252456684ec0d052e2e52018f61e8b16b39cc93cb526c9da13672f3af5e673ecd6940df313ba31771d7d37a45651183 |
C:\Users\Admin\Desktop\InvokePop.cr2
| MD5 | 9ce3230699d6ff6b444b9a09d0e73e0b |
| SHA1 | a1ad628ca07a7cba9ca3ebc41a68cb5a7176852d |
| SHA256 | 55d8e9fd9ecd5e4435b55a53b4af36fcc8a947b362a5c3b60da1daa3c02f8260 |
| SHA512 | 735b8e509e965ce87722394f35c4338b6868d2181aa7797c61a881b84802c2473f9aed3f02f2a9d72b335d0a8a08926a98e6d9c6a5eb0acc242fe7d73bd76b2a |
C:\Users\Admin\Desktop\InvokeGet.wmf
| MD5 | 284a0561abfa18d3a7def0e75f428760 |
| SHA1 | 6baf812713b0e3fac979e93ed551e3f887999eb5 |
| SHA256 | d8aede97fefe9e2ac44a372ce2cc545ff3d4b400548415033bf74365d751f5e2 |
| SHA512 | ceef0ea6e26ea8c5664b9a2f547bbdb818903d029fb3d46a69177c8cf74739cf803cb9f9fb3c07d06b01ca34da6232581cf21ac983a257386b3135040634b453 |
C:\Users\Admin\Desktop\FindWait.eps
| MD5 | fe61b9df2d47976a8981870661a42358 |
| SHA1 | 4add00c1839e709e9e23f0843a5cc9269b017957 |
| SHA256 | 64cf57d773b44ee2fbac4675ed028941c686bdd7949ef754ec5b8772b412d643 |
| SHA512 | 36de4f8098b70eb8405c11245ebbd71d4cb01d6b3c28b8c381bd4d5470979b0b7a8b0df8266d1642decc9675bea1c186ccdde7f943bf9a52de3391bf75575cc4 |
C:\Users\Admin\Desktop\ExportUnregister.temp
| MD5 | 6f2bcac532736d7923ea706d472463a2 |
| SHA1 | f9724ed751717be2ece922739388fd43702e61d2 |
| SHA256 | a57a08d9c1e5555647a06b52b290f05ffbc62b96ca72fade1a18fdde00910e3c |
| SHA512 | 8d3f75c2fa97a0da4b97bb2b8090424e3bdc9f067dc09559fc72e3c049fc4f6de29c52dcae381e2de44fa334f370ec083eb805e1e2200de8eaca3c535912af41 |
C:\Users\Admin\Desktop\OptimizeDisable.asx
| MD5 | 87441ca65c174a0718399cd69b72d5f2 |
| SHA1 | 220bc1e65fdebf4b1213233eb4ef05c742b34744 |
| SHA256 | 3cb052f46b1839e8a334b208ec0215fb57a91394c89b183010c329f96de1548e |
| SHA512 | 546810d178c9b644a438d09312bbda92517a0c9500d08bd0f547d3fd13ed708e6cd51e60198e2d4ef5b94ecd341e08e061a24cc4fa7ab9c2d4f00535fa7f3dba |
C:\Users\Admin\Desktop\OutConvert.M2TS
| MD5 | cf55e516e2f6514ca1ccb1b371e8c530 |
| SHA1 | eccf8b07e4387882c1cb33313129d3a410e650ff |
| SHA256 | 6e357ec3b9561aa30e489344dc70c011445bd2f5d3619bfbf8b2aa37f9d65e40 |
| SHA512 | 73ed39c134e51d670549cab3ff739acd85b0ce227fa45646829c2e8dc4afb67272f6337330e5be2d48ae93b194e59cc208b8849c38ee1719e9059776a4741357 |
C:\Users\Admin\Desktop\ProtectMeasure.reg
| MD5 | f784887ef52e3c3a179b0dc43f91321f |
| SHA1 | b8089a6eaf71074dbb1178a3777ef1d5a8fe11e8 |
| SHA256 | c9538eb1f16810267be9f95c9b234c43421d21735706909de3d2df3d42d1efc1 |
| SHA512 | dca93886ac6fa3cffdf6011541b991b5b5b69fed73c45561b16c00bd2f8d0ef17105c468b2ca098032ae9474a109bb6f9ca06f6e564b9427b51fa4c92d88347d |
C:\Users\Admin\Desktop\ReceiveFormat.DVR
| MD5 | ed6fb0d4f350a1fed044cc105b566173 |
| SHA1 | 1b8a1887d1ffe5104c64e1cad5d7b9345e79d3d8 |
| SHA256 | 1f4bd57118686b2010b632c75e0b5eded1cf7b491c72991476381b45e8e47145 |
| SHA512 | f47274ea15ed67de2d73bac15bb4123a38840d5cfb9675747f55f698c2a4464e492f57b9997a85e7de4504077c4cc685b3bdd6093d55b0cbbf7355ad5a6a047b |
C:\Users\Admin\Desktop\RemoveStart.php
| MD5 | 3bf0f7f4af5e66562cc5125f1bf5eb18 |
| SHA1 | 56b812afab0c657ae51c911d07a028145b474493 |
| SHA256 | 98e2144b580567edd8481e77b2c1631829a75eb64dc54c45a5c490099d266aab |
| SHA512 | 23e8e7c54a158b6b11329818f68591457d1a174b09336d89a768e46b56b8a31f961e1a744163d04641f9060542d67c748d91a03d2ee3dfa6648b10d7dedbe626 |
C:\Users\Admin\Desktop\RequestPing.rle
| MD5 | 973dc8a2b79e122ae97527ae6befcfd3 |
| SHA1 | 698d0529d648053d57e001d425ed5cc962eee46a |
| SHA256 | 80ca374b5296678855f5071dcaee098d93038654b49511758f966a5ee4938f3b |
| SHA512 | 60f47d26e3770683d749c0853c6387d1927a76a2931572efcfe54d124d571beb676fa4b637021392e7fa2fe7ffeb092c6c9e2f1484fdfe39c27d63f9a5458d44 |
C:\Users\Admin\Desktop\ResizeOpen.mp3
| MD5 | 8c56c07d550180a8a2b3fcdaaa418481 |
| SHA1 | 5e335ab316965d37209077ffbdad804e6d02fc21 |
| SHA256 | ed604df44d266c961d77015d89e411b5b01055aa44777e60bd34e6d8e5b02d17 |
| SHA512 | 06d55e360953d00838fea1a32f2f4d519c2e398a9779086917919e5a95f4e05e729babd674c9ac092548fd82c536d02b3e25977c8c17e5f7c511ce9adea2fb69 |
C:\Users\Admin\Desktop\RevokeConvertTo.mpv2
| MD5 | fc286f5ab830ab56cd44829dbe947c94 |
| SHA1 | 5020fbccc7f6a9c08a39f1dd91197e4111ac4db4 |
| SHA256 | a36f126636d53a55d34b6f8be02d802a8a981f23532568e596b80aac23df1b05 |
| SHA512 | 7f08be645d65247fbff580fa5e210d74385f2c368a2b8d7394963d4660df1e2c0090e06d33ad6428acd25c09e97fb10ba1a9256e74bb8951d9503c91ff973e0b |
C:\Users\Admin\Desktop\UnlockFind.pub
| MD5 | 205ac5fdf49a5a684ea8e8f713f3c5f3 |
| SHA1 | 5e2d218d1fe12b880bdf333650795d93f3a823d8 |
| SHA256 | f02a9b077d5ee9bec4ddb9e46dfc2e42fca5e5f7d5ebcea5c454352072d4da99 |
| SHA512 | 15598cac9d8725e4342ab37edcaf9e83e4c0538ff728909170b57eb79a6dacf463b67cd9b007a8c69503d5fae7cea77829b727f5d8cee9db178f49e040bab30a |
C:\Users\Admin\Desktop\ShowPing.aif
| MD5 | 10c0bc43f297d6198570e56ae4ed2f95 |
| SHA1 | a5706087985f0e7d422a6e30b0d63556256a620d |
| SHA256 | f62e8a73ed64aac501f65d6c70e1db0fcaa0dd38b0783ede4616bc259c3ea51d |
| SHA512 | dcaeddff50a09b0a17d2e5f1a98327eeb46f049f8e47db9c5a142d026f018c07039fdabd9081c807e9c1a93ae0a61f712ab46ae25051cd838ab84ba490c99730 |
C:\Users\Admin\Desktop\SendCompare.mid
| MD5 | 199bf52a2e3b0d402b1e1c39f67afe23 |
| SHA1 | c8db31af730a206ba856eef38080fc9041a49b57 |
| SHA256 | 016520e0f30f353a601347c506a494e0ad7c1f0808ab60b7aef56e614fac0943 |
| SHA512 | f8533cc914f9df2e3735bfa28a8ce0261ff6604df331611570e104259f7462bd49eb6b97226dafa884aa2f2bd583ac77d3fc19b71db2996f9b6aab020ba59a94 |
C:\Users\Admin\Desktop\UseRepair.ogg
| MD5 | b9faba26b92b4ce0310ed33478ddf0b0 |
| SHA1 | d659cfaa57d97cfb84258ccaf55a9504db12502c |
| SHA256 | 3376b67f26954cb3ff07338ddf6d7f904368ed7ebc4395d06811aa71fea4cbc9 |
| SHA512 | 4c10f1a7040cdbd598179291e65b2164d9132284ec1ea1e7a2abde660bd79ad8f22192c6f03f32089dc0466ad8256a2cf830c68e620b0032a38b737e27e09a63 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | ccc9ef4179c717b0d381064f07ae8b43 |
| SHA1 | 071c743bc00d36b035b6ff4f4112617e179faa4e |
| SHA256 | 7badd0e5b98770cb1a7c1426c199fb356e177c9eb0dcce63bd153245ab2c6717 |
| SHA512 | 00df112330fc52c70105513ae5119cfc99b4e45088532423b029352956189798ec4af35a40c7c82c7d14a47c10d830914412bab3687bc1323adccf0cd30cb97e |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | cd2e601ec2f44b0211fae65422446e0e |
| SHA1 | b2ab43d71e0cfd537c1a4fb17d04b82f7201b6e8 |
| SHA256 | 2b83847fdc0f0e3eb695aa504d2a332c5197a07eb25b37b0e184e0e5411caa14 |
| SHA512 | c0ef50cf3f82c3ed49d23c39b69513f84c0aa94059f618a4dcf7b628ee8e67d83998e59b6c1f23b11cbca4aba5b8d46ea741dd77967ff757d5b8fb10b1da0fae |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 36867f540d444fb05ba7469f61198517 |
| SHA1 | 26e3ec466b5392d8bc47c49937b11bdfe30e8bea |
| SHA256 | b0e200ab7b8320378557a7a5d4f14d9d3f7b8fdaae9541fdecab0c16f63e9f95 |
| SHA512 | d6637fa169b65dfb8f36c24c8eee3b944ea09185ccb1ac1d7197028ef04a6d0ac613e0ec4728a8cf756623bb227b0e6c108194f741636f958488ff4c595c6f99 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 61ac1e815d81f4a2f93ba70bdb7f84a4 |
| SHA1 | 0531d3d2953f72dd89a16cdafcad0a2a010b3a32 |
| SHA256 | 844d651080ce9319d36dcfa225504b6e77a36f00fe17693f2d9df081bdef81bc |
| SHA512 | ad015c9f9724b6fa71defde43ace702955ed0564a873d82716f97fef8f56d2a75879c7d1ae373ae879089ed1fab853d4f08dfbcedd2cf81fd8eec69c2a11b0b1 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | b912c7424324879493c771def40a45e5 |
| SHA1 | 914f55b098e0d79a5285bae6d00e8a6b3f2574c0 |
| SHA256 | 2db04f2f0b7deace03e50618c8b1ee26be81fba29c3c8885b41dc6898cf6509c |
| SHA512 | 2822f6ca58037a55acd4d7d4ffd22afb88084bbc192c5f98b4d454e2693027fd07e163cf908d5924950dd5fb24a26994a3e82e2c755745be523c68d4a7557b11 |