lockergoga | eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0

Analysis

max time kernel
43s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2023, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockerGoga ransomware.exe
Size

1.2MB
MD5

16bcc3b7f32c41e7c7222bf37fe39fe6
SHA1

a25bc5442c86bdeb0dec6583f0e80e241745fb73
SHA256

eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
SHA512

f3e7087f569b3bcc201c006c5dfcea6cf560cad480bc03e6f17790190bc35bf6659e91a9f91219952bd139a3c9afde961032ee1d0861158409206feaa6540f9e
SSDEEP

24576:uj/6CtkHRos9l+zan4Q6eQqF5ZgQibE2zkMiJHic9OuTw258tox6T9G0SKoRl:A/NtkHRos9l+zan4QTB/2zkPtBq2itoP

Score

10^/10

lockergoga banker persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\OutBackup.png => C:\Users\Admin\Pictures\OutBackup.png.locked	yxugwjud6538.exe
File renamed	C:\Users\Admin\Pictures\EditRemove.png => C:\Users\Admin\Pictures\EditRemove.png.locked	yxugwjud6538.exe
File renamed	C:\Users\Admin\Pictures\EnableSubmit.crw => C:\Users\Admin\Pictures\EnableSubmit.crw.locked	yxugwjud6538.exe
File renamed	C:\Users\Admin\Pictures\InitializeRead.raw => C:\Users\Admin\Pictures\InitializeRead.raw.locked	yxugwjud6538.exe
File renamed	C:\Users\Admin\Pictures\StepResize.tif => C:\Users\Admin\Pictures\StepResize.tif.locked	yxugwjud6538.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-white.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_unselected_18.svg	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-300.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\msedgeupdateres_ca-Es-VALENCIA.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Content.DATA	yxugwjud6538.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Microsoft.Input.Ink.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-200.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden	yxugwjud6538.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	yxugwjud6538.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-black.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-125.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-250.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mmsogdiplusim.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hi.pak.DATA	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Social.DATA	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\msedgeupdateres_de.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-150.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-100.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-white.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-150.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-100.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_zh-TW.dll	yxugwjud6538.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	yxugwjud6538.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\WideTile.scale-200.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-black.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\WideTile.scale-100.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-100.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\TransparentAdvertisers.DATA	yxugwjud6538.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-125.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-100.png	yxugwjud6538.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	yxugwjud6538.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png	yxugwjud6538.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4644	2164	WerFault.exe	69
5004	4844	WerFault.exe	106
3720	4844	WerFault.exe	106
2368	4592	WerFault.exe	169
3272	5088	WerFault.exe	269

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{81E6B1FB-636A-45A5-80BB-3FE2F5F06459}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	yxugwjud6538.exe
380	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
400	yxugwjud6538.exe
380	yxugwjud6538.exe
380	yxugwjud6538.exe
400	yxugwjud6538.exe
380	yxugwjud6538.exe
380	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
380	yxugwjud6538.exe
380	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
380	yxugwjud6538.exe
380	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
380	yxugwjud6538.exe
380	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe
380	yxugwjud6538.exe
380	yxugwjud6538.exe
400	yxugwjud6538.exe
400	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
2064	yxugwjud6538.exe
4036	yxugwjud6538.exe
4036	yxugwjud6538.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
360	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	LockerGoga ransomware.exe
Token: SeBackupPrivilege	2236	LockerGoga ransomware.exe
Token: SeRestorePrivilege	2236	LockerGoga ransomware.exe
Token: SeLockMemoryPrivilege	2236	LockerGoga ransomware.exe
Token: SeCreateGlobalPrivilege	2236	LockerGoga ransomware.exe
Token: SeDebugPrivilege	1688	yxugwjud6538.exe
Token: SeBackupPrivilege	1688	yxugwjud6538.exe
Token: SeRestorePrivilege	1688	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	1688	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	1688	yxugwjud6538.exe
Token: SeDebugPrivilege	4036	yxugwjud6538.exe
Token: SeBackupPrivilege	4036	yxugwjud6538.exe
Token: SeRestorePrivilege	4036	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	4036	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	4036	yxugwjud6538.exe
Token: SeDebugPrivilege	2064	yxugwjud6538.exe
Token: SeBackupPrivilege	2064	yxugwjud6538.exe
Token: SeRestorePrivilege	2064	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	2064	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	2064	yxugwjud6538.exe
Token: SeDebugPrivilege	400	yxugwjud6538.exe
Token: SeBackupPrivilege	400	yxugwjud6538.exe
Token: SeRestorePrivilege	400	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	400	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	400	yxugwjud6538.exe
Token: SeDebugPrivilege	380	yxugwjud6538.exe
Token: SeBackupPrivilege	380	yxugwjud6538.exe
Token: SeRestorePrivilege	380	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	380	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	380	yxugwjud6538.exe
Token: SeDebugPrivilege	4112	yxugwjud6538.exe
Token: SeBackupPrivilege	4112	yxugwjud6538.exe
Token: SeRestorePrivilege	4112	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	4112	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	4112	yxugwjud6538.exe
Token: SeDebugPrivilege	1308	yxugwjud6538.exe
Token: SeBackupPrivilege	1308	yxugwjud6538.exe
Token: SeRestorePrivilege	1308	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	1308	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	1308	yxugwjud6538.exe
Token: SeDebugPrivilege	4620	yxugwjud6538.exe
Token: SeBackupPrivilege	4620	yxugwjud6538.exe
Token: SeRestorePrivilege	4620	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	4620	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	4620	yxugwjud6538.exe
Token: SeDebugPrivilege	3484	yxugwjud6538.exe
Token: SeBackupPrivilege	3484	yxugwjud6538.exe
Token: SeRestorePrivilege	3484	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	3484	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	3484	yxugwjud6538.exe
Token: SeDebugPrivilege	3788	yxugwjud6538.exe
Token: SeBackupPrivilege	3788	yxugwjud6538.exe
Token: SeRestorePrivilege	3788	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	3788	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	3788	yxugwjud6538.exe
Token: SeDebugPrivilege	3840	yxugwjud6538.exe
Token: SeBackupPrivilege	3840	yxugwjud6538.exe
Token: SeRestorePrivilege	3840	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	3840	yxugwjud6538.exe
Token: SeCreateGlobalPrivilege	3840	yxugwjud6538.exe
Token: SeDebugPrivilege	1316	yxugwjud6538.exe
Token: SeBackupPrivilege	1316	yxugwjud6538.exe
Token: SeRestorePrivilege	1316	yxugwjud6538.exe
Token: SeLockMemoryPrivilege	1316	yxugwjud6538.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe
4844	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 360	2236	LockerGoga ransomware.exe	84
PID 2236 wrote to memory of 360	2236	LockerGoga ransomware.exe	84
PID 2236 wrote to memory of 1688	2236	LockerGoga ransomware.exe	86
PID 2236 wrote to memory of 1688	2236	LockerGoga ransomware.exe	86
PID 2236 wrote to memory of 1688	2236	LockerGoga ransomware.exe	86
PID 1688 wrote to memory of 4036	1688	yxugwjud6538.exe	87
PID 1688 wrote to memory of 4036	1688	yxugwjud6538.exe	87
PID 1688 wrote to memory of 4036	1688	yxugwjud6538.exe	87
PID 1688 wrote to memory of 2064	1688	yxugwjud6538.exe	88
PID 1688 wrote to memory of 2064	1688	yxugwjud6538.exe	88
PID 1688 wrote to memory of 2064	1688	yxugwjud6538.exe	88
PID 1688 wrote to memory of 380	1688	yxugwjud6538.exe	90
PID 1688 wrote to memory of 380	1688	yxugwjud6538.exe	90
PID 1688 wrote to memory of 380	1688	yxugwjud6538.exe	90
PID 1688 wrote to memory of 400	1688	yxugwjud6538.exe	89
PID 1688 wrote to memory of 400	1688	yxugwjud6538.exe	89
PID 1688 wrote to memory of 400	1688	yxugwjud6538.exe	89
PID 1688 wrote to memory of 4112	1688	yxugwjud6538.exe	92
PID 1688 wrote to memory of 4112	1688	yxugwjud6538.exe	92
PID 1688 wrote to memory of 4112	1688	yxugwjud6538.exe	92
PID 1688 wrote to memory of 1308	1688	yxugwjud6538.exe	93
PID 1688 wrote to memory of 1308	1688	yxugwjud6538.exe	93
PID 1688 wrote to memory of 1308	1688	yxugwjud6538.exe	93
PID 1688 wrote to memory of 4620	1688	yxugwjud6538.exe	94
PID 1688 wrote to memory of 4620	1688	yxugwjud6538.exe	94
PID 1688 wrote to memory of 4620	1688	yxugwjud6538.exe	94
PID 1688 wrote to memory of 3484	1688	yxugwjud6538.exe	95
PID 1688 wrote to memory of 3484	1688	yxugwjud6538.exe	95
PID 1688 wrote to memory of 3484	1688	yxugwjud6538.exe	95
PID 1688 wrote to memory of 3788	1688	yxugwjud6538.exe	96
PID 1688 wrote to memory of 3788	1688	yxugwjud6538.exe	96
PID 1688 wrote to memory of 3788	1688	yxugwjud6538.exe	96
PID 1688 wrote to memory of 3840	1688	yxugwjud6538.exe	98
PID 1688 wrote to memory of 3840	1688	yxugwjud6538.exe	98
PID 1688 wrote to memory of 3840	1688	yxugwjud6538.exe	98
PID 1688 wrote to memory of 1316	1688	yxugwjud6538.exe	99
PID 1688 wrote to memory of 1316	1688	yxugwjud6538.exe	99
PID 1688 wrote to memory of 1316	1688	yxugwjud6538.exe	99
PID 1688 wrote to memory of 1380	1688	yxugwjud6538.exe	100
PID 1688 wrote to memory of 1380	1688	yxugwjud6538.exe	100
PID 1688 wrote to memory of 1380	1688	yxugwjud6538.exe	100
PID 1688 wrote to memory of 4464	1688	yxugwjud6538.exe	101
PID 1688 wrote to memory of 4464	1688	yxugwjud6538.exe	101
PID 1688 wrote to memory of 4464	1688	yxugwjud6538.exe	101
PID 1688 wrote to memory of 4324	1688	yxugwjud6538.exe	107
PID 1688 wrote to memory of 4324	1688	yxugwjud6538.exe	107
PID 1688 wrote to memory of 4324	1688	yxugwjud6538.exe	107
PID 1688 wrote to memory of 1112	1688	yxugwjud6538.exe	114
PID 1688 wrote to memory of 1112	1688	yxugwjud6538.exe	114
PID 1688 wrote to memory of 1112	1688	yxugwjud6538.exe	114
PID 1688 wrote to memory of 508	1688	yxugwjud6538.exe	116
PID 1688 wrote to memory of 508	1688	yxugwjud6538.exe	116
PID 1688 wrote to memory of 508	1688	yxugwjud6538.exe	116
PID 1688 wrote to memory of 5048	1688	yxugwjud6538.exe	117
PID 1688 wrote to memory of 5048	1688	yxugwjud6538.exe	117
PID 1688 wrote to memory of 5048	1688	yxugwjud6538.exe	117
PID 1688 wrote to memory of 3640	1688	yxugwjud6538.exe	118
PID 1688 wrote to memory of 3640	1688	yxugwjud6538.exe	118
PID 1688 wrote to memory of 3640	1688	yxugwjud6538.exe	118
PID 1688 wrote to memory of 1580	1688	yxugwjud6538.exe	119
PID 1688 wrote to memory of 1580	1688	yxugwjud6538.exe	119
PID 1688 wrote to memory of 1580	1688	yxugwjud6538.exe	119
PID 1688 wrote to memory of 5116	1688	yxugwjud6538.exe	120
PID 1688 wrote to memory of 5116	1688	yxugwjud6538.exe	120

C:\Users\Admin\AppData\Local\Temp\LockerGoga ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\LockerGoga ransomware.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y "C:\Users\Admin\AppData\Local\Temp\LockerGoga ransomware.exe" C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:360
- C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
  C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:508
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3640
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Modifies extensions of user files
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Modifies extensions of user files
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Modifies extensions of user files
    PID:2192
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Modifies extensions of user files
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    - Modifies extensions of user files
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3472
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4576
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4876
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3508
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1068
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4148
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4116
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4784
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4652
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3192
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3292
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4340
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4924
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3560
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3080
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 708
      4⤵
      Program crash
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4556
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4496
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3612
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4768
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3412
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3804
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4784
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4820
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:604
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4664
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3700
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3548
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:60
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3780
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3784
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3600
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4084
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:712
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 708
      4⤵
      Program crash
      PID:3272
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1360
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4732
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3988
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:508
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3092
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:720
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3116
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3128
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1256
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:732
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3804
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4304
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud6538.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 2164 -ip 2164
1⤵
PID:4740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2164 -s 5508
1⤵
- Program crash
PID:4644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4844 -s 2288
  2⤵
  - Program crash
  PID:5004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4844 -s 2288
  2⤵
  - Program crash
  PID:3720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4844 -ip 4844
1⤵
PID:3860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4844 -ip 4844
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4592 -ip 4592
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5088 -ip 5088
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.locked

Filesize
623KB

MD5
2dff127fcddc824b60c8236a663c644b

SHA1
0cf5b1f20b03625002ad026ef5612158373a74df

SHA256
0fd6dfc9e14261a2e470daa88a246668b17c9eae68fd374b9f4efb30aa357a35

SHA512
70e2c8884163631cdad64b1e9e95852c83c73b6e4884376ef832643df8da7d5e8d7943349114bd3aea9300e47cb7bab875b81890290c013c5129016cb46390c3

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit