Malware Analysis Report

2025-01-22 14:02

Sample ID 240224-e2lvlshh8y
Target JOKE.exe
SHA256 e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
Tags
persistence hacked njrat bootkit evasion trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955

Threat Level: Known bad

The file JOKE.exe was found to be: Known bad.

Malicious Activity Summary

persistence hacked njrat bootkit evasion trojan ransomware

njRAT/Bladabindi

UAC bypass

Njrat family

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

AutoIT Executable

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: MapViewOfSection

Modifies registry class

System policy modification

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 04:26

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-24 04:26

Reported

2024-02-24 04:56

Platform

win11-20240221-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JOKE.exe

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.126.37.18:15217 2.tcp.eu.ngrok.io tcp
DE 18.192.93.86:15217 2.tcp.eu.ngrok.io tcp

Files

memory/2548-0-0x00000000753A0000-0x0000000075951000-memory.dmp

memory/2548-1-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

memory/2548-2-0x00000000753A0000-0x0000000075951000-memory.dmp

memory/2548-8-0x00000000753A0000-0x0000000075951000-memory.dmp

memory/2548-9-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

memory/2548-10-0x00000000753A0000-0x0000000075951000-memory.dmp

memory/2548-11-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

memory/2548-12-0x0000000001AB0000-0x0000000001AC0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 04:26

Reported

2024-02-24 04:55

Platform

win7-20240220-en

Max time kernel

1140s

Max time network

1163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
File opened for modification C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2908 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2908 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2908 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2908 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2908 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe
PID 2908 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe
PID 2908 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe
PID 2908 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe C:\Windows\SysWOW64\WScript.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe C:\Windows\SysWOW64\WScript.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe C:\Windows\SysWOW64\WScript.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
PID 2908 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
PID 540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\explorer.exe
PID 540 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\explorer.exe
PID 540 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\explorer.exe
PID 540 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe
PID 540 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe C:\Windows\System32\taskkill.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JOKE.exe

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\d3f20c9590484c7ba1111dcd9ddf0c7b.mp4"

C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe

"C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"

C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe

"C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:15217 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:15217 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:15217 2.tcp.eu.ngrok.io tcp

Files

memory/2908-0-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2908-1-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2908-2-0x0000000000B50000-0x0000000000B90000-memory.dmp

memory/2908-17-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2908-18-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2908-19-0x0000000000B50000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d3f20c9590484c7ba1111dcd9ddf0c7b.mp4

MD5 bef81a1f584b54c66eb0c36c0cd5750c
SHA1 6930ee6b167a43e897a47d55ae10c0ca40574f29
SHA256 370c0e0d592f84566438e87b06e6352b380167e44dbd1dbadfa623426f5f4fce
SHA512 c02d583c563c5e746a93a448b99d0df142db0b15b8dc1010d6f5e582daae018067ffe6f95ddd00870c70165ae88a259786aa4c670a04125c8eba52a08a961952

memory/2136-27-0x000000013FD70000-0x000000013FE68000-memory.dmp

memory/2136-30-0x000007FEF6CF0000-0x000007FEF6D08000-memory.dmp

memory/2136-31-0x000007FEF61A0000-0x000007FEF61B7000-memory.dmp

memory/2136-33-0x000007FEF6160000-0x000007FEF6177000-memory.dmp

memory/2136-32-0x000007FEF6180000-0x000007FEF6191000-memory.dmp

memory/2136-35-0x000007FEF6120000-0x000007FEF613D000-memory.dmp

memory/2136-36-0x000007FEF6100000-0x000007FEF6111000-memory.dmp

memory/2136-34-0x000007FEF6140000-0x000007FEF6151000-memory.dmp

memory/2136-29-0x000007FEF5880000-0x000007FEF5B34000-memory.dmp

memory/2136-37-0x000007FEF5680000-0x000007FEF5880000-memory.dmp

memory/2136-28-0x000007FEF7B10000-0x000007FEF7B44000-memory.dmp

memory/2136-40-0x000007FEF45A0000-0x000007FEF45C1000-memory.dmp

memory/2136-41-0x000007FEF4580000-0x000007FEF4598000-memory.dmp

memory/2136-44-0x000007FEF4520000-0x000007FEF4531000-memory.dmp

memory/2136-46-0x000007FEF44E0000-0x000007FEF44F1000-memory.dmp

memory/2136-50-0x000007FEF43B0000-0x000007FEF441F000-memory.dmp

memory/2136-52-0x000007FEF4330000-0x000007FEF4386000-memory.dmp

memory/2136-53-0x000007FEF41B0000-0x000007FEF4328000-memory.dmp

memory/2136-54-0x000007FEF4190000-0x000007FEF41A7000-memory.dmp

memory/2136-57-0x000007FEF3FB0000-0x000007FEF3FF2000-memory.dmp

memory/2136-58-0x000007FEF3F60000-0x000007FEF3FAC000-memory.dmp

memory/2136-56-0x000007FEF4000000-0x000007FEF4012000-memory.dmp

memory/2136-59-0x000007FEF3DF0000-0x000007FEF3F5B000-memory.dmp

memory/2136-60-0x000007FEF3D90000-0x000007FEF3DE7000-memory.dmp

memory/2136-61-0x000007FEF3B40000-0x000007FEF3D8B000-memory.dmp

memory/2136-55-0x000007FEF4020000-0x000007FEF4190000-memory.dmp

memory/2136-51-0x000007FEF4390000-0x000007FEF43A1000-memory.dmp

memory/2136-49-0x000007FEF4420000-0x000007FEF4487000-memory.dmp

memory/2136-48-0x000007FEF4490000-0x000007FEF44C0000-memory.dmp

memory/2136-47-0x000007FEF44C0000-0x000007FEF44D8000-memory.dmp

memory/2136-45-0x000007FEF4500000-0x000007FEF451B000-memory.dmp

memory/2136-43-0x000007FEF4540000-0x000007FEF4551000-memory.dmp

memory/2136-42-0x000007FEF4560000-0x000007FEF4571000-memory.dmp

memory/2136-39-0x000007FEF60C0000-0x000007FEF60FF000-memory.dmp

memory/2136-66-0x000007FEF2320000-0x000007FEF2336000-memory.dmp

memory/2136-68-0x000007FEF21D0000-0x000007FEF2245000-memory.dmp

memory/2136-69-0x000007FEF2160000-0x000007FEF21C2000-memory.dmp

memory/2136-71-0x000007FEF20D0000-0x000007FEF20E3000-memory.dmp

memory/2136-72-0x000007FEF20B0000-0x000007FEF20C4000-memory.dmp

memory/2136-70-0x000007FEF20F0000-0x000007FEF215D000-memory.dmp

memory/2136-67-0x000007FEF2250000-0x000007FEF2315000-memory.dmp

memory/2136-74-0x000007FEF2040000-0x000007FEF2055000-memory.dmp

memory/2136-76-0x000007FEF1E00000-0x000007FEF1E15000-memory.dmp

memory/2136-78-0x000007FEF1DB0000-0x000007FEF1DC3000-memory.dmp

memory/2136-82-0x000007FEF1C40000-0x000007FEF1C5B000-memory.dmp

memory/2136-81-0x000007FEF1C60000-0x000007FEF1C73000-memory.dmp

memory/2136-86-0x000007FEF17E0000-0x000007FEF17F4000-memory.dmp

memory/2136-90-0x000007FEF1760000-0x000007FEF1771000-memory.dmp

memory/2136-89-0x000007FEF1780000-0x000007FEF1795000-memory.dmp

memory/2136-88-0x000007FEF17A0000-0x000007FEF17B5000-memory.dmp

memory/2136-87-0x000007FEF17C0000-0x000007FEF17D2000-memory.dmp

memory/2136-85-0x000007FEF1800000-0x000007FEF1813000-memory.dmp

memory/2136-84-0x000007FEF1C00000-0x000007FEF1C15000-memory.dmp

memory/2136-83-0x000007FEF1C20000-0x000007FEF1C32000-memory.dmp

memory/2136-80-0x000007FEF1C80000-0x000007FEF1CAA000-memory.dmp

memory/2136-79-0x000007FEF1CB0000-0x000007FEF1DA4000-memory.dmp

memory/2136-77-0x000007FEF1DD0000-0x000007FEF1DF3000-memory.dmp

memory/2136-75-0x000007FEF1E20000-0x000007FEF203D000-memory.dmp

memory/2136-73-0x000007FEF2060000-0x000007FEF20B0000-memory.dmp

memory/2136-65-0x000007FEF2340000-0x000007FEF2351000-memory.dmp

memory/2136-64-0x000007FEF2360000-0x000007FEF238F000-memory.dmp

memory/2136-63-0x000007FEFA330000-0x000007FEFA340000-memory.dmp

memory/2136-62-0x000007FEF2390000-0x000007FEF3B40000-memory.dmp

memory/2136-38-0x000007FEF45D0000-0x000007FEF567B000-memory.dmp

memory/2908-1764-0x0000000000B50000-0x0000000000B90000-memory.dmp

memory/2908-1765-0x0000000000B50000-0x0000000000B90000-memory.dmp

memory/2908-1766-0x0000000000B50000-0x0000000000B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yudkdggsqo.gif

MD5 830902dd51dad22083b885a7b51ac3cc
SHA1 a5cfc3391721b40f4c6219f7644628116ef0ae71
SHA256 94333c1e9a0961648a33db91f9e453e65b25e40106db6b639637fbedcc05e2a6
SHA512 9d409da6f1eba7041726df402ae2fb183e320a5bb81fd3837f6f4b67a88b628d4f571f7e1e2df33d0357bea396683036e9af6c2acac1d9e9931f6faf607cdd8b

\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe

MD5 a703c3b8a39537ce9be339bbc7339a45
SHA1 10354130b42e12c39eb6f3ce95b8368f581ef71b
SHA256 fce41ec4380d80f04eea4f2bb4ed9734c0ed31fb85c8897c0e299fbc0de41f60
SHA512 f73d2daaf572028655e4168834af7fb5477af4748f99845db314c57ab3a08c16d64bd2c5489f5c84ac3b0dcd16ec414284b5994091c3e44929fc7e923d26cb07

C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS

MD5 2b56784f8f16a689b305a1c768f28689
SHA1 e81ce025337ff3ebfc8bc48d43d360345a18688f
SHA256 dcd7fe09e32ec3a9fd356f12ded8e3f2ae520a99c8dc996b48dc98a39d68a077
SHA512 d0134e11bea5809b966cae3cc60828e557d6acddab890e56c0e22bed7c4facda582f77dd00a7ccb6da66200cc610ba9bd4423dcf33075f3b2b18434f219bbd68

C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13626871_c66985d209c8197ecce4f5ce7899b49d_1656581581.mp3

MD5 4843241a72238329e13f2497733fd70c
SHA1 c6b6fcc361bbcf17e9d05868deec5700b9e1d048
SHA256 3c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348
SHA512 f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20

memory/340-1849-0x00000000702C0000-0x00000000705D2000-memory.dmp

memory/340-1852-0x00000000702C0000-0x00000000705D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe

MD5 0884dfe68c23cb78ec7ad67823271776
SHA1 c0a7770592c5f14b2eb039d402dd8e08cc6c5468
SHA256 5d8ea3a0eae74f62d5dd7b631d665c081056205e33dc32c4659b53d67ba2f1cc
SHA512 f9a1cab1e24c2d55c401c53013158b67ea3d1fc3d1f5ae0d6f848a4e8c76101eadd78f4bdd47fc34e3b12bce00f4a6e57e5225848a1490e2c8757f9b20a978e2

C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe

MD5 2f8aaa8f2535290b97004341df60f704
SHA1 63b1b1fb653f216b7cb522ace58488ce091c01cb
SHA256 13c554104d6da15fa4c6c9d21d973087cd242d76232c3df6c220497ed82b815f
SHA512 fbc4ab6aa3527530a0139c5bde18a08fdb6f7ff2001740e5f55668376373db56f03e7a2abe65a67cb638721604699eb403cf9c76f5edb6e4bd1d9bfa6afc56bd

C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe

MD5 c82fca115917a41fa7604eb630e12465
SHA1 0ce361a1268d8d4c1c53b5e3ace3a424606afbb4
SHA256 32ff719ed698c363bdd299e5c244381b0b8b6ed223d5e67197bbfa848dfcbe6a
SHA512 a3b74a50b0c0a9eebc27196d12360c193dc288bc91c7393fabf3b78597d3803d31a8e77eb076d45a5d22c0a5c7451a5407b4a798f46caa83bf78fba088d3f533

memory/540-1859-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

memory/540-1860-0x00000000012C0000-0x0000000002684000-memory.dmp

memory/540-1861-0x000000001C550000-0x000000001C5D0000-memory.dmp

memory/540-1862-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

memory/540-1863-0x000000001C550000-0x000000001C5D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe

MD5 12b162b0c010fcc23fa43b03cbb76509
SHA1 a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00
SHA256 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180
SHA512 f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4

C:\backg.jpg

MD5 aa8212e3f48d35711f219cd9bf1265ab
SHA1 a3b17cc5311f23cc2db204f5b7081cd7d170094d
SHA256 ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200
SHA512 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261

memory/1316-2006-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/1316-2007-0x00000000042D0000-0x00000000042D1000-memory.dmp

C:\ben_icon.ico

MD5 35ed09899d21d2f9806e5c4eb1411324
SHA1 5afa7972868a84f4e49d65f149aa09dda07870d2
SHA256 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3
SHA512 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820

C:\guy_icon.ico

MD5 caf2b6d49aae9303b222fdd06b91f10a
SHA1 12b967bd3aafa465c228551a7cb2d70f8b9f972e
SHA256 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8
SHA512 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d

C:\xina_icon.ico

MD5 0f111a8457f17592240624b2e80a6c61
SHA1 23b009e988c3a95d9e8ac97e9baf2979dda3211d
SHA256 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f
SHA512 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe

C:\the_wok_icon.ico

MD5 8e1462f2d993e1bd6fd00268623abece
SHA1 67367e20f64d32ab8d1840dedd91d686ac989952
SHA256 ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5
SHA512 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace

C:\amogus_icon.ico

MD5 43042269818924374a29891d79cb676b
SHA1 f34ef8a688e15efa9c0117816a617892a2730bb8
SHA256 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187
SHA512 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31

C:\skream_icon.ico

MD5 21a8888b16b257c094fd38d09612fc48
SHA1 9ce7e89da63c663987c9624a845144a4fecc3e72
SHA256 e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4
SHA512 cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2

C:\theme.wav

MD5 e4f642067670a4001d31ffb18f481f96
SHA1 538336f1beed8f74a0913454265cbcce4822c4e4
SHA256 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960
SHA512 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c

C:\whenimpostaissus_icon.ico

MD5 57a21de76111fd67dd32bbf5b8cbbe8f
SHA1 127d6c20da0234ac8bc9dd65391fcfd695185274
SHA256 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f
SHA512 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629

C:\ustupid_icon.ico

MD5 6e3e6e1a0f01c0168c7b1fcb4e63a89d
SHA1 785688b7caa8f28583e417a651517b721405d835
SHA256 b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634
SHA512 d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99

C:\speedrunner_icon.ico

MD5 a0bd05bdf6641d55fff217fc45b6e7a4
SHA1 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3
SHA256 c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2
SHA512 bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3

C:\avocado_icon.ico

MD5 6d362a3e515cc18d537f74fca1f75293
SHA1 99a5b363ac274e027530fa7a532a007b0e6c56f3
SHA256 c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42
SHA512 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821

memory/540-2080-0x000000001C550000-0x000000001C5D0000-memory.dmp

memory/540-2116-0x000000001C550000-0x000000001C5D0000-memory.dmp

C:\xina1_icon.ico

MD5 ea930fd90cdcf6d31a2ec4c1559b41f9
SHA1 498db95c46ed784d6c6b83b6ad30184ceb7f80f0
SHA256 aba2367393eab39caa359b90c62ac0231e7af228070c50496a984be89bba4f3e
SHA512 726bf8c578a9019ac025c2fc021cdf7c111597d182720d62c48be9ea4fb3c8f4da777ff2305695a27d0db61c3af9da48e99ada694eab71df9fec459c50a00656

C:\xina2_icon.ico

MD5 d129b378192f4f70d831fb7034d7992f
SHA1 c782ed401d9a33644568dd3d4c78b49ec3d9a4a0
SHA256 3d41e7d8040bc0c91f371f88dbbd7eee29e7c8408d2de331636096f81cc57b4d
SHA512 b31d3191ad62011d53f77e789333f3669b515172aa30f914ca116af0b8b6949a031b002aa391637fdd7ab9a63a5b0dd5ce37dd691766f3d896ff570dcf23b2a7

C:\xina3_icon.ico

MD5 37cf805ea6e33432e8bcd4e028938faf
SHA1 c0ea05823441d9115a2f079346efff5ad2967930
SHA256 c638d0fedabee0972e593ef24aacb2bc86ddcb6a3357d0ddc2228e76d73051bf
SHA512 091bd6d4e0f5707df74a461657b513cf7c61b94e780b80f8f93fb000b0e29b7f59c08a35964d4dbee005e7bd9d3c9be5a69a2486996e3a9f09a3d3784d424a4f

C:\xina4_icon.ico

MD5 5e3393e772f5aad126c10b86b8b59c62
SHA1 ac70b3a5ce29c2d432263a11a4f157fa53222c23
SHA256 049e8a377ff04c64b0e804d14a96f1469bfdf60c6b38d807d8b1af5b293221ef
SHA512 3903acb567fdfd0abff26dcbd4c7c9ebfe569569b1af78283beedd7c2343baa3e3fe19a2e851e43b7313017624435ce814dc839f79c67d3c7ee528b3c71666a7

C:\xina5_icon.ico

MD5 ef185b61dfa8298a39bd12bc5b5ad56e
SHA1 3401678e4ebf8a78c664994e864a18cde058c20f
SHA256 ff3838388c2ed572a4d2ce6b8b6d77490bc56bab33ccf8c586bac27d2df83b68
SHA512 e7fa3e4f302801e617442764a28b7f7a24a394319903a411f40d6da31d03b7530a8160193010ef868c90f9259d44085d113b73fc09a0e72c5a1f9f990d87e7bf

C:\xina6_icon.ico

MD5 fc5f065a5e8ede646d1595c50f9253f8
SHA1 5c9a10baa223eca0ca3005b760b21f9dfe656e94
SHA256 90a1510f938da7440b9b0d2f82428885684761898d4f76575b1c2fbdfc245d92
SHA512 49a96c244bacdf8b5dde05f3b57c18d2f83a53f3f82bf32f6c8026d890e047f6b11d0d7d9357e8d6f509acbaa5fa37d5aab72c26e58f46c99885f272a747f544

C:\xina7_icon.ico

MD5 cb099d15874bc078218294749eb7b6bd
SHA1 27647365028ef3fe8df37d9341595501c5748b9b
SHA256 2efb6ed0f26f8a561014536a1eb846cd4467d830998f6bf2c89f5dbd4a87f1f3
SHA512 c350bd8959004da8cf76a4d79a25629c4e38ad57e22230a29c339685c076cfc0044cc241dc206016183549ac66da685a3d673938f0af6c69f40c0bb6ee5fbc2e

C:\xina8_icon.ico

MD5 337dc66064bf405d08a2c9c2f8b80ee1
SHA1 34e79eaf97bc9274222df62331ed464b06c26deb
SHA256 0bcb24229a3ca5ab524b3241e79d71d0b190994b77d4c420985e8f89b9557774
SHA512 61616a7d4e29c9a47b8f0f6c3a21e68b51ee2a185a2e0e6d3f7933a932305a246091c9ae757aa4d49601f2631e3cb5c62618a1e2a2932b957b9b279d019db337

C:\xina9_icon.ico

MD5 c7e83c267bc0e3238163b11a968d59d0
SHA1 180d269f95d88ab98c4abfaf5024119ab22f5424
SHA256 939f8ad378a8372438fdea72adb3f56cf4ecf3ab3d517efdbf5588c3a34be3dd
SHA512 054593312a083ae7f86b6aaa18ec206193b08368a8166f09815056ed339d1370ed0f03500fd39ad45bcba7a4a450b819415e695ff0a8cbca6db2a5999f9bb741

C:\xina10_icon.ico

MD5 312462041a762b3ca42e106dd23c77ef
SHA1 199e0d9650f70bc9d4aceb95da7d7200668dddde
SHA256 df0e53d5be9ecf641313960c107ab41bce93c8cf4849d006077e33a424cb15c5
SHA512 4d57c6b4659ededbecb127a9676f6cc64644cc270e33ceabe469e84c2a1b38981134aafb8f1d1e53cd0d6cc1f22f08fa3bd7e8568e8f1d907efd4bd07b51f790

C:\xina11_icon.ico

MD5 a6a4e4e3398f437cd4d431d85e9d54a8
SHA1 4afca6d917412205203b9498fd1fde26a926b7af
SHA256 03f9584495fef61a2f54a0f0cc469f26f25f35394be48b5d954d449ca37bc784
SHA512 2ef129c544c12373b8eb06160450ec4c925d2b3075d1f7925859c4a0f184911dda59b6687944b7fc086276b3966e1111535e4e859b3f3715078e1e68dfe6ac2b

C:\xina12_icon.ico

MD5 813e47eaed5990689d0d53815c68d29f
SHA1 a20cf1de1b653e7267c5dd134db2207fb1150e3d
SHA256 710b492db43e192fdf281d9d5ae58a06500b506694ce4685c64d413188c4b245
SHA512 9aa5898a1e6942e41d7cf2ccb9dfb96a0b12c4d148d24a9ec8b9f5bf608bdc0312fdfd97c779a73ea81dcb9ce7df06941efd2a0841b2afc6b439528ec0f84fa5

C:\xina13_icon.ico

MD5 fafd6d2d4a64f53220994bd4bbb9de94
SHA1 05d90ef5327c3ec114d0a36cb29927ca4796e5b7
SHA256 a8cac8b5521a9ff85faa0999ed21af3669c57a9cf51eb14760c001305c44c195
SHA512 64cc77861e5a3679cf2f323ecd673805aa6df266e720d4e889ca283017201d25f194767b7c36aaeeb4a4eebe062d2597fc3e13f1b7e6054b4707ee74178df232

C:\xina14_icon.ico

MD5 398df692cd2ec1bb7920ea5449d965a1
SHA1 d4fb9dc4e31cb5ec3ca4e2dd2223a0d4bc4256ec
SHA256 76fe950ef1408b93f1a13a7197cd3221d8eb6f6660ccf9aaec3bf94f8b9ef703
SHA512 2156c194183d961a06daeca442fe8da4808f2065e8936f4fee10f487784721c0976a69e39a466f1bc1a0c31e082025774a391bbad2138cab638bce4153ca7201

C:\xina15_icon.ico

MD5 b28cdde3e6551f820fbf4d1ae4da6677
SHA1 8e1fbc56e308b24dca374eb5debc9e9bdd5f6135
SHA256 dc1a15e29698e60ac326185e619eb875e869ea3d01746ac0701d11a2716f6b85
SHA512 21bab2e588190151a380d0663f0d8f307c95805af7197bb2adf6019bf28eb3cf57d9e7f621395a7f23ca847811e5a9fd316bc45fa3208c71832966c4127b8cc6

C:\xina16_icon.ico

MD5 66bd198bf0cfca918c45067bdbc354ea
SHA1 04d7bda4cd83a7d1e950a8da7f409eea72033578
SHA256 06f24e06f12ce66cb87a29d7eac67befb737ee1400f11071d4ca83ecb5c78dfc
SHA512 d2d775f19e5cd72671c739d03b6bed554dcc517f93bb83cba7bbe54fc3408cb8d177bb237620894f0cb45117bd902b6e39a7ce3f630f21c8c45b08d2280306c7

C:\xina17_icon.ico

MD5 9225599ab65c613124185b2529989cd5
SHA1 94cf9fdd8808ddc34d8c552a5fd52dd3bd6b4043
SHA256 e64658b6ee5ee61b29cbf79812b1f6cc45367eeb2cbe9da9fa5f1e63979644e8
SHA512 b535e4bf42d1bfe8d0280a694e8663fdfda224b030a80f0ccf0568009e1476cc062c3e88f9e3a3c31b62e5156504570fc17f1466acc234e83cf1f3628ac999b1

C:\xina18_icon.ico

MD5 3807d3a5a2f9fb626c97e048e3b64b1e
SHA1 1b14e6ef507551e72370b03a876e9534b0da3883
SHA256 5d99c8bc9f302d87e86addeebe013c34ca4305f3c9752fd92e979ac6d97aca34
SHA512 fd5ee94044f25dd20495dc3bae17ba89257211be6ca36df224813d7a71afe8270df7e8a74d11655dc6ab1397b5ceab3e56bfeac149a09d3015f10d4b50755164

C:\xina19_icon.ico

MD5 f6ecf41acb43f283021fa952e762b9e4
SHA1 cdd89bee571630d93ceb186ec5dbef3fc28d0019
SHA256 9962141bc3e2a1936bffa25de1e8ad85aa630d4a9770f90e9900534784683be2
SHA512 af637de1c505023a03e2fce65847fbb596a3c7dc6789f636dfc78b185b583e801274fc00f63c12e531a6eefb505a0c2bb29222a133a4f0d08a1eafa3be17acde

C:\xina20_icon.ico

MD5 0e027d0c11f6adfa7aaf640ef5cbb83c
SHA1 b9d69ff6f1ea832de0c713fd2011a1d588cc1d6f
SHA256 93bd144b21f021708564d17a127b241b6236ec7922cc772a78bbdfa9b0fd8ee4
SHA512 77c242c76e6f3aaea9df664ccfa280af6c4931adad908a069073d35cbbf521f5650a0135239f6f831049a5d13ebab595169f27eb9f847a952f8a47a18e092d7c

C:\xina21_icon.ico

MD5 0c12f084e52be0801c90d48ebaaa9c4b
SHA1 8954a0a34e1344e0ef0a8920c9935dedd1eb4dec
SHA256 b1b86e511ff375352a46b9b6fc8f3a7a20c55b7516dd1dd9d5af38adb7f527e9
SHA512 01b8f27eb18a77a7be9a1b910b93c16afcfda1e0c371463619dc6562bfc469af34d152282bde6fd4c14fc191c6b7cf1877d8607e257489498ba1c96f68c52e2c

C:\xina22_icon.ico

MD5 adb1b10c27228fd7a59a50a5839ee6bb
SHA1 579e67dca36773986fcebdd955f86cb6d47a7164
SHA256 4e876b157be27295d52d754db4367a05e2bd10550006355fef27542de0603c1d
SHA512 a2efeda33021d205b11cfce73b9897e82571f42596438020786dc58abcb0e42287ac3730f5f57fe92249f5b8fc8cf74f391fab5ba25004ee84b3741be4849499

C:\xina23_icon.ico

MD5 cf293a4f73d67d90b43d6fe2fc707e0d
SHA1 c779c8794392ac1d907170999a15d8a7440e85c0
SHA256 d2767668d76008045bb9ac633f6ae30daba499cdd4c803030b3f4119169220f6
SHA512 cd2dbe59f40101d36bcf9b2da70ed8f03e66e5c57386be68bc929e1fd05ef2b806afae135ec703e960bc159400cb402d409e7745f7b348ff47fb24861267dea2

C:\dad_icon.ico

MD5 8883262af502c220932bbc50979391ca
SHA1 0be9ff95e86e798493f5f067a6dd3ddec9ed6832
SHA256 f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6
SHA512 ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076

C:\walt_icon.ico

MD5 fa516d1d0fce7db4dfa81e73cf74e917
SHA1 ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0
SHA256 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af
SHA512 f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f

C:\bass_imposta_sound.wav

MD5 f6d67bd69fe398b2c5238fa4c9d6455a
SHA1 a8c7dfb2cd54dd46f2eb1e2fe6a19bdf40c47e44
SHA256 3ad823c535650fcba2de953fb2ce6fc46afeb04e529494e6b60b788cb28ddc32
SHA512 63e0e262338850ffe35929af320d17eb850efa046f860ca4fdb93518dbeeb2fe9ab3d4d13305c6d1f5c9fe78b42615ac0794d160b66fad5e3a30309dfed117e8

C:\omg.wav

MD5 4f0ad7516cd72bc8e78452edbfb7675b
SHA1 fdaf974becd0d3d66eb580df0e4beaf048ef22b4
SHA256 654700adddf4f3b7f18f08d3d7ba2df035a026fd38b86f700b950d4ce4cc0cfe
SHA512 d973a212cb46199bfbb938edd724e187f52d273eb92f0f32390f6b8c269886d55a2009545a3b46d456eb8a42f1c76e4956bfde803898d053e2164aa58a92f584

C:\rock_eyebrow_icon.ico

MD5 56afb11ebd7367af4c03b065ef3580f3
SHA1 4f30fbf3d5c0469533c1b33b98aa612e6704c14b
SHA256 da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7
SHA512 eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4

C:\fnaf.wav

MD5 a91d1592b7e50f377e7d173951c58178
SHA1 ba8c41495c9209b17b2538bc991a537f3493ebb1
SHA256 65c3102f1a750db1921c3c28064f94f1b53aec88852b874810cefc6a74f402c4
SHA512 8cac33c4b2964fd87ce396e519a894c6674f123e4c2f3642e358dba59ab64a17c110aa74363fca1436fc325f0a986ffdfe94c161fdeae30e425648576a8be1db

C:\bom.wav

MD5 1c782f17124b6eea9619acc46fc165a4
SHA1 aa22fe4a52723cf2ec83af3b478531c83ac1c589
SHA256 9f1c04f4d37d995f9f6cdb7751be399468c275f91c35f30bdb45ff9ff31190eb
SHA512 2b63129054cffd9037963f9e42c46c489e697f81109f8465c9cf3915894f143ffa444e9fb1bef195111ea915f36b51f08246b5ddc7ae5763d056bd0c8b0a7921

C:\amogus.wav

MD5 c30df0f1ba8d92eccb020946a107c7fe
SHA1 fe95d0b0246a4ecc25fc89ee7102647e12c1dcb5
SHA256 3d6d12cadb2ef6fe5b2a03d15964512bc32895e338c2da25ae2cb07bcb31deae
SHA512 624aebee4d918c8eed1716d17829a36104eb5aeb2d23be021e61f9d8e59a6aeb7215c14365ac081fa2f820e561aa108be25640d1634983dff7ca8ebd4dbd6a45

C:\obama_icon.ico

MD5 f89f675153effeea979e32716d1dcac8
SHA1 84780277f79505ccf920d13391726741e127a79d
SHA256 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7
SHA512 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff

C:\scream.wav

MD5 2d714bed0f2a11e2daba10305c667e93
SHA1 20af1afd4f3283cd142904a285b6471b119f8079
SHA256 a65f7847e0c4ec164b204cb5abb90a4b58cacc4c957f0749b52c7130094b860d
SHA512 da26fb5aba9377c746993daf6ffbe3df60db4ce0992058b7d70a1a26398f9014a7c111775e1acfe26526500a90daaacf805dda3b8a7cce87c36b60f641fd0119

C:\alarm.wav

MD5 84b81f71beda7afeded4085a84808465
SHA1 7199bd12cc0ef1f77fcaaba8b3ea5645ab388dce
SHA256 0884ecdc6f9a9ce52f67f6fdeaf02d579b2d7a1c7cf14d20d77c2906e41196a9
SHA512 698bdbc47b061ad37982195a16930caeaccda52f95f9c0d4ed33653590023eda6a2c3f110ea2112aaa67c99ed588d9117797aedd9298b36b37e78dcc5c74a5ae

C:\ustupid.wav

MD5 afc635b14cc1d36ce347aa3ad423bcde
SHA1 306b78de47455914a0550229035516b951e638c5
SHA256 80d9439a20f9f0b09bfb6b7b71a84bd9875c2363141b323522ab0473df90c0b5
SHA512 ce4b43b1b876b741d312a045fede59c4b1287f084a4fd0a1929aa8e6da3820450f25ae9436d48885e30908201e6a82cd3ad7e8e9d92b16aa68aa1e0b37366d40

C:\sussybaka.wav

MD5 8853da13437c21bd8c8b131dacd73d4f
SHA1 844f143af3aab36ce1cee355eb7e7c5a4ba67f4a
SHA256 7616c3dc3ef9a7a6d08a54a5e955b33f001647f0821c29b92b022c044226e480
SHA512 31a3989fddbffbb8e6979bf3e855eb13ba97146cc1cee4ab6f939cf002e0a2e698a12383f0f2a8d3d6aab437da9bac7e641189565a7ced1d2c5ae1a8f149cf30

C:\amogas.wav

MD5 7c96d6b14ab956a856d47e87c4be4553
SHA1 a4626ab555204ae9221547b539fe9fe8b21cf500
SHA256 3e6482553b51c3bf6d419f8333647f59762240861c79f166d1995fc59eb189b4
SHA512 aef86dfb77cce4064a634f3b1accdebb3c066e6d9fc966538df80b2c0d948a017b1af1bd34d93d525f907bb983504544d541ae1a1f074caabaea55d71b4f3f3c

C:\hell_no.wav

MD5 22aa4efefa11404c5656516f4f257a59
SHA1 2b7476f4fc38d51303dc78dcdef4577ea59efa09
SHA256 88f4e80980753871fe322f8dda83e72900cca29961efdf25bd119b259a57d05e
SHA512 167d77f6f5aeb19fc98b6dc969f8ea91906aa23f5771b3f764884a685acbea5fa545486e72daf79decfa86265e6718a0d5e95c6f9c01bbc14a5c6b7c0ad2380f

C:\fart.wav

MD5 e87a6a5fe2591cb8c7a88c0bd4cc8d3c
SHA1 75c4ca221b2f4782709f16230059bf8413de13b9
SHA256 840bbecc0e95ca503740df9ac0ac944303c4a4c5f163a3eb4d4aea329629371c
SHA512 2fce9c3827b0d16828175f8ac86029f615614ad0f147c95842113824d8177e2919cd0e09d67b9723396d259dea99e3b465b7a83972a8f1d344925cd8c14f0605

C:\whatdadogdoing.wav

MD5 a55dee0b6901e6cc5dee3ee6db227b41
SHA1 914b3ff1faa2a3009b13044ba08f08a71f2f3f20
SHA256 6fd47a0e90adba6e9560ba5fbbc162b346b528aba268300f560d5a144924bd9f
SHA512 ecbd6e493df019e3045a420e0aa6235fdee1d1e97e455370e29ee7563e7c25f9d75afa9b7c1c9d8e2693e90e1271811dbe88072ba8ec4e93cf23d08cdba0f4b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 04:26

Reported

2024-02-24 04:56

Platform

win10-20240221-en

Max time kernel

575s

Max time network

594s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A

njRAT/Bladabindi

trojan njrat

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\2900507189.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 02e8a374da66da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80702004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000a64c3d3fdb66da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000024c6e73edb66da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000000308662a164da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "415516152" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 00e3786dda66da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1168 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1168 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1168 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1168 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1168 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1168 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe
PID 1168 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe
PID 1168 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe
PID 4376 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe C:\Windows\System32\cmd.exe
PID 4376 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe C:\Windows\System32\cmd.exe
PID 516 wrote to memory of 4160 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4160 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4160 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 2652 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 2652 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 2652 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 516 wrote to memory of 4816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1168 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe
PID 1168 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe
PID 1168 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe
PID 1168 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe
PID 1168 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe
PID 1756 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 1756 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 1756 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 1756 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 1756 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 1756 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 1792 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1792 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1792 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4308 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe C:\Windows\System32\taskkill.exe
PID 4308 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe C:\Windows\System32\taskkill.exe
PID 4308 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe C:\Windows\explorer.exe
PID 4308 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe C:\Windows\explorer.exe
PID 4308 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe C:\Windows\System32\taskkill.exe
PID 4308 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe C:\Windows\System32\taskkill.exe
PID 1168 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe
PID 1168 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe
PID 1168 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe
PID 364 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe C:\Windows\SysWOW64\WScript.exe
PID 364 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe C:\Windows\SysWOW64\WScript.exe
PID 364 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe C:\Windows\SysWOW64\WScript.exe
PID 1168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe
PID 1168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe
PID 1168 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe
PID 3664 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe C:\Windows\SysWOW64\WScript.exe
PID 3664 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe C:\Windows\SysWOW64\WScript.exe
PID 3664 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe C:\Windows\SysWOW64\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JOKE.exe

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe

"C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D0.tmp\8D1.tmp\8D2.bat C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe

"C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe"

C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe

"C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe"

C:\Users\Admin\AppData\Local\Temp\Ention.exe

"C:\Users\Admin\AppData\Local\Temp\Ention.exe"

C:\Users\Admin\AppData\Local\Temp\Locker.exe

"C:\Users\Admin\AppData\Local\Temp\Locker.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe

"C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"

C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe

"C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 57.138.127.3.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.127.138.57:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
GB 216.58.213.22:443 i.ytimg.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 22.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 rr4---sn-1gi7znek.googlevideo.com udp
CH 74.125.108.201:443 rr4---sn-1gi7znek.googlevideo.com tcp
CH 74.125.108.201:443 rr4---sn-1gi7znek.googlevideo.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 201.108.125.74.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.189.173.21:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 21.173.189.20.in-addr.arpa udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 216.58.213.22:443 i.ytimg.com tcp
GB 216.58.213.22:443 i.ytimg.com tcp
CH 74.125.108.201:443 rr4---sn-1gi7znek.googlevideo.com tcp
CH 74.125.108.201:443 rr4---sn-1gi7znek.googlevideo.com tcp
US 20.189.173.21:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
GB 92.123.128.167:443 www.bing.com tcp
GB 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 167.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.126.37.18:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 18.37.126.3.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp

Files

memory/1168-0-0x0000000074180000-0x0000000074730000-memory.dmp

memory/1168-1-0x0000000074180000-0x0000000074730000-memory.dmp

memory/1168-2-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/1168-8-0x0000000074180000-0x0000000074730000-memory.dmp

memory/1168-9-0x0000000074180000-0x0000000074730000-memory.dmp

memory/1168-10-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/1168-11-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/1168-12-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe

MD5 c4eb157cac8ac23675482e9db405af99
SHA1 ff3e7e1464ca8859a480dcdddddf6de6480cb75c
SHA256 55eb5e8387b9b1e9982287ea45bc20a86d6f5b0fe02f92f5ac2f569df1355d68
SHA512 e82469a7d35d6c4671f7789844ae6cfac2f9e7ef464f1b3f865df78d532fed00cf8f9f707f87d107943384f73cab98d687e9e4382c676b635cd1f8def0ec70f2

C:\Users\Admin\AppData\Local\Temp\8D0.tmp\8D1.tmp\8D2.bat

MD5 d6722be451c37f29ea52c36108089437
SHA1 ec0828abb19128ea6edec152ccad500f5161291c
SHA256 152053eb315110ca3a65f3393004e9b33f5eeccd953f5ca1e1734e659544728b
SHA512 ffff083ea8f17da8465904ebd0fa7331dc086e29bb684fcf7b19d545c09bf03cf6ce08f3dec21bb4134f131055c6df7ef1cdf31ee133aaa35b5314b3097e9716

memory/2736-36-0x000002014FA00000-0x000002014FA10000-memory.dmp

memory/2736-55-0x000002014FCC0000-0x000002014FCC2000-memory.dmp

memory/4160-102-0x000001A3F7370000-0x000001A3F7372000-memory.dmp

memory/4160-111-0x000001A3F7390000-0x000001A3F7392000-memory.dmp

memory/4160-115-0x000001A3F73C0000-0x000001A3F73C2000-memory.dmp

memory/4160-126-0x000001A3F72E0000-0x000001A3F7300000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 730fcccc4fa580117510be4499e43fd5
SHA1 245aebea52af630789dea0862c099891180aa1f7
SHA256 482537b14f03f06c5f7910d089094612fa9940813eb0f1a63330f18d2b632f96
SHA512 2cd70c9a8fb93300c3efbaa2e111f3c1e562b06f0501546446bde1b46ab1cfd7e800bb04f2e53fd194bf64b4498cc6189490680a24823daebb15747ee29af6ae

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B744ED683086DD422B6453395135F670

MD5 d161ae1cd954e11e5d7e94ae2d43fb8c
SHA1 f081a02d740bc5ca89f23e2affe262707b6e0c6a
SHA256 bdf4ccfcdc71b2f78afe4fd7beb11e0b3ac8b87fd26393623bf25c78a4995672
SHA512 83a03b9f5f5582ce32ceb3a7de2d1218fb50900677e8dce0c7cc895b905f0d46f2557c12dcefd12a76daf9842b8661d4f28c134a24aa6ca6e2d5cbaad8a1d077

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B744ED683086DD422B6453395135F670

MD5 c36304d217d71dd9d3478555ec792b53
SHA1 3bc6700bfd7305d89eac48fa04ec9a0a0fceafe1
SHA256 fc35fab32aa4d7e870515483a474eacbbf7d5fbd4bcb017ad417963be0bbfb7e
SHA512 b9f92eb5383e46f3f593f6a3bbdd1501e0c2dace30080988a05d54cebe48355172510f680b06a7e26467e56183ccaf13bfddfd587351da6b56f357260cfedac1

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 d2aa3b31a8eb837a025650a56428892c
SHA1 c2218af4c5fdd0b8f7478a27e07f5afec32bbecc
SHA256 208101d43d87f2ebef1ab89c81843b24453643e2eae75d6f7217102de2b5fe29
SHA512 21e1d30789651316adf0eb880aac48c7211996e0e8b458df26a414b3d03ca99d1988fe7be77dbef4c6db1582d496e3c2df62ec9c1ce5a48ba2bfe0a68b327a47

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d0da769192d32443ab3697052e75e6e0
SHA1 7e69f58fee2c525ad157eabe3d56aa8897019593
SHA256 ba8144b9c78147903b87eb08e3f2bed062fa7a1c1c8a35bea76ae24b87f0bef0
SHA512 d6d1a89cce75f2be3668dac3af1982744a81e4f5309e0adbb6e54c50d7a7042ff4365913af640a34921a51c716de838a43750f2110e92111fad3b9edf72debf3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\web-animations-next-lite.min[1].js

MD5 44ca3d8fd5ff91ed90d1a2ab099ef91e
SHA1 79b76340ca0781fd98aa5b8fdca9496665810195
SHA256 c12e3ac9660ae5de2d775a8c52e22610fff7a651fa069cfa8f64675a7b0a6415
SHA512 a5ce9d846fb4c43a078d364974b22c18a504cdbf2da3d36c689d450a5dc7d0be156a29e11df301ff7e187b831e14a6e5b037aad22f00c03280ee1ad1e829dac8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\webcomponents-ce-sd[1].js

MD5 c1d7b8b36bf9bd97dcb514a4212c8ea5
SHA1 e3957af856710e15404788a87c98fdbb85d3e52e
SHA256 2fed236a295c611b4be5b9bc8608978e148c893e0c51944486982583b210668a
SHA512 0d44065c534313572d90232eb3f88eb308590304c879e38a09d6f2891f92385dc7495aabd776433f7d493d004001b714c7f89855aa6f6bec61c77d50e3a4b8e6

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\intersection-observer.min[1].js

MD5 936a7c8159737df8dce532f9ea4d38b4
SHA1 8834ea22eff1bdfd35d2ef3f76d0e552e75e83c5
SHA256 3ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9
SHA512 54471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCALUWRY\scheduler[1].js

MD5 dac3d45d4ce59d457459a8dbfcd30232
SHA1 946dd6b08eb3cf2d063410f9ef2636d648ddb747
SHA256 58ae013b8e95b7667124263f632b49a10acf7da2889547f2d9e4b279708a29f0
SHA512 4f190ce27669725dac9cf944eafed150e16b5f9c1e16a0bbf715de67b9b5a44369c4835da36e37b2786aaf38103fdc1f7de3f60d0dc50163f2528d514ebe2243

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\www-i18n-constants[1].js

MD5 f3356b556175318cf67ab48f11f2421b
SHA1 ace644324f1ce43e3968401ecf7f6c02ce78f8b7
SHA256 263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd
SHA512 a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\css2[1].css

MD5 31aac18e149a751facc1eab7954dfb7b
SHA1 36d367dcc77416a166aecabb5f6fb5c6c29f3632
SHA256 42706c41583de3f0028f16bad17197dde81807d148ba848ea3924aff4bb8b532
SHA512 df83002d751e6e73377b15966fa5ffacc7f6e2318821c691209fac9b6991d1113b385ca1fbf21e02455a5e5702d4247716c6d03d1938506e6ca740cdeffce351

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-player[1].css

MD5 8f60c13acb044236ec0ee3bfa7c5374d
SHA1 337a4a5622c4fa7e763aa4f22ae0bb8d7fbcaff8
SHA256 5c6664535088c169d1900c7b4f749d59530506ba2f16bc07c131027a30662897
SHA512 34c8ad38252709922410701b641f5f745ccfb7ca42010f5f26d4686a879e61e1f8e2057a6e1cee6cffec95ad861629fe6e9e8908bbc3003c8ad93fe3e964d9eb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9F04E35CA28A5C68B5490FBED6478178

MD5 5470a88b926d8afed075056e26072e9a
SHA1 c9f4223210fe0b2b96e816bf73501fa7fae2171c
SHA256 0b4176a4107aa865df5d96114692076511aafbfd7f5a38d70eeb36076fd25606
SHA512 5cc771e72f84a7caa6d3662c0161bd7c7e212dbab0e3e9947c3b81a13440d2ace3eef117eb36fc6aac00f5963a9a4a6eea01870f41d39d9fe8aa54558802e515

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9F04E35CA28A5C68B5490FBED6478178

MD5 226ba29088bdde0e850643d755578514
SHA1 5beeb8651d1da05a58d1117ae4ec3a28ba6934b2
SHA256 5ee6bd6e5801c6fdd6ec82df943562e9ff7216047ceffe10fdb7c567a3de629d
SHA512 739524c45640dff914150ff4226ee6871204a0dabe1135c2d780253c725eb482a469ceb6b1cb9977a578ee4bdbf483d5e45231be53f27903eaa3e35126b82284

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-main-desktop-watch-page-skeleton[1].css

MD5 81b422570a4d648c0517811dfeb3273d
SHA1 c150029bf8cebfc30e3698ae2631a6796a77ecf1
SHA256 3c8b38d9b8a3301c106230e05beeedbcd28b12681f22fd9b09af9e52dc08635d
SHA512 1d4966a88d7cf6be31b8f53547a12db92cabb4c05176abe995c75c8889765ec68b7210c3be75f60954ceb2938412fbdeb94d4d25ddc927f3a89eca76a84a9ebc

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-main-desktop-player-skeleton[1].css

MD5 2a5f27d8d291d864d13eaa1f5cd9cd51
SHA1 b39f9b99b924e5251ac48fad818d78999cfd78d4
SHA256 056232b6127143e2f8bf4218db355d978e1e96f5dedcce59a9f5d6ab92b437f1
SHA512 1b54f1e13cb38e41f2a65db3cdc2bc702a9e963751b1ef0338d67b95816441b0143e1d4dabc99f276a04f9c00570bb8933f1bd87394998b3878c268b08ecf24a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-onepick[1].css

MD5 5306f13dfcf04955ed3e79ff5a92581e
SHA1 4a8927d91617923f9c9f6bcc1976bf43665cb553
SHA256 6305c2a6825af37f17057fd4dcb3a70790cc90d0d8f51128430883829385f7cc
SHA512 e91ecd1f7e14ff13035dd6e76dfa4fa58af69d98e007e2a0d52bff80d669d33beb5fafefe06254cbc6dd6713b4c7f79c824f641cb704142e031c68eccb3efed3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCALUWRY\rs=AGKMywFRe-uXq3Zl7DKngxjSYzI0kR4DvQ[1].css

MD5 bf2b05164e4fff1bbc7a59024d2ebb1c
SHA1 9c91e21aca4f3baff2bd30e0da7b7430a810358a
SHA256 72d2f9ef26363b27fe8bf6e491da6c6cc975707829fde01787830d1baea32242
SHA512 27e3cdbdaf8318f99cb0e3020a1cecbdbefb6e47c8d0dcf9c9abd71613e252e7fa99258b1a6641eb6e889c296b5f0fc6e5b342d415ed6c20503d3e96a032c6ac

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCALUWRY\base[1].js

MD5 05068401e84164a0ed0446c186a08140
SHA1 7db58d26661fc99f0abfe4666a535e1fd74e9f22
SHA256 8118050a27f735b626239738ae0e5ef7d7b79eb0fb27760dc1214c1f1ac00275
SHA512 1d1755de710c4235efe6ee688d7d7c00734a14fc614db81667f8e10d51a05c74863e8ea7fdf1dac3656995d6e1756c7b0689f565ccc840ad0ca014cf83603d8f

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\spf[1].js

MD5 09724500269dc3256e3517a3b3526306
SHA1 cb72e3f6e5d0c8cad37bce37a5d81fa768d33037
SHA256 f333d8729a3c54012666dff2de67a567e3ade40c708cac4a1b6f7083cb1c5c63
SHA512 0fbba72fce072bacf3fc9ebaa4778272c15ac650e0978ec71e0423433b2c91884f4baf01f275aacebe693b57640d2f577d6b35ed77ec1c5505151561edcebadd

memory/2652-202-0x000002285D020000-0x000002285D040000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\network[1].js

MD5 71464b30ee74399d9bcb61eb2506c9a7
SHA1 04ba39b53cce7deb7c316d0d70ac710128a47325
SHA256 99599ec6f3fb4d9ae90a3ac4fa8e73448cd94e47a0662c7b80bc1427004f4e67
SHA512 5ace36f2d24351e2af12d0aae0fdf6e1b287e0ae8bb75d9fda1204ab8d475ffbcdd97daccd7b057878b05e427212704218b14dc842e01ccddbb122f48d709a5b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\desktop_polymer[1].js

MD5 66cbcc358d4aba2396e2abbc0fc2a233
SHA1 78f855fd86d5ee3e4e0857fc59f0f196460b1353
SHA256 c30616610b8ff4c50213b70ab8eafc19c8156a20a96868ed63ea7a2672980d31
SHA512 e1d59f4a59ad5c092ae91c491532e18f9df0372a05eabee2d605fd415c5e94b6c25a74d427f6a29e60efd33be5440da36d5027ee0ef935ef4877ac27e6c8a0b4

memory/4816-219-0x000001F1F64C0000-0x000001F1F64C2000-memory.dmp

memory/4816-221-0x000001F1F7080000-0x000001F1F7082000-memory.dmp

memory/4816-225-0x000001F1F70C0000-0x000001F1F70C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2D6264AR\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

memory/2736-246-0x0000020157AA0000-0x0000020157AA1000-memory.dmp

memory/2736-245-0x0000020157A90000-0x0000020157A91000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\D9J1GOXY\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF905BE94D7D9FEC9B.TMP

MD5 d3cdb7663712ddb6ef5056c72fe69e86
SHA1 f08bf69934fb2b9ca0aba287c96abe145a69366c
SHA256 3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15
SHA512 c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

memory/2736-287-0x0000020154000000-0x0000020154002000-memory.dmp

memory/2736-290-0x000002014FCF0000-0x000002014FCF1000-memory.dmp

memory/2736-294-0x000002014FCB0000-0x000002014FCB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe

MD5 6525af1c2f2703af400bc06d43cbe6ca
SHA1 a607cc602bed06b410f9ebe2f48a5b7fc6a2288f
SHA256 260d7ec67c731a751625ef18ea5d73b2423478310cda8581a31628d5764d8f2c
SHA512 a64437574ac8ddacfc26106ca6ce90a99c96ff710f0f8c2dad6df6613fd1bc6ec5284b8e0c82d0c30a5c0db4cab1b090add88ed9dc81dab31dff6fb06ca787d7

C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe

MD5 9125279bee012f47dcbf23849116553f
SHA1 d8208dd025237ecc897df2e6b151a51df1ab594d
SHA256 e0c1e1aee89fd47a249107a8e387d402378c59458222510bea3356b29fa135e7
SHA512 e9113a6cea6ce9bbc24ae7191154f911150d70267b7e03aa0e0afab6d9a11763585dce8267f5557dda0833964e5282b6cc25aa636dd46569e9e5a1591d1ac073

memory/4308-306-0x00000000006A0000-0x0000000001A64000-memory.dmp

memory/4308-305-0x00007FFF99AB0000-0x00007FFF9A49C000-memory.dmp

memory/4308-307-0x00000000022F0000-0x0000000002300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe

MD5 27092644ea7eb8095b916ad7b825bac8
SHA1 776e97168680fa16bf741d07f202e22024fbcd14
SHA256 247c794eb6da41670130500fb9bf3415261b328d1854cde52cee12b1e465dfd3
SHA512 e098628dee6b34869f6c3579fcb7f76387b5ad3fdacb1571db4592c44761c2865d75e2163925f31b8dd18e52c6af78c5afa2f5066d055eb4b472e305ccc955a6

C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe

MD5 b899fdafb91296ffcc7ccbebd247b962
SHA1 ac5f3c3185660a8d730c9f1635402c960ae5a182
SHA256 e9dcefad91a8d500da841742779c751f21622c4da8916c7ce6790323d09eb793
SHA512 25c2be2c051921c095972be266419cd9a7bdeaa52e5325224d33a73423b22c4538cc1b4947fa73bdc06eaae6185235e38e185d1958a152f74d0d6c2d50398adf

memory/1756-313-0x0000000000400000-0x0000000000A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 65650140d71d3fcbee8ace7975ab2ac6
SHA1 c2b59a21b1d7fe6b2232efaab3042b81e4909dc0
SHA256 e961caaa4f22b6f9a86c4e72b529861fb8a5a6b55d4bd2e64c005be4b007eeaa
SHA512 7fa41420b772811c812a2847c9bcbccc10765e9ee2b4a8d66805ec9c3ae484f29b0c1425bb4d0969c80933e5ae0d0537bca33e5ea166ededb701bc7af5d037c8

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 243e16c6808e43afab5d73b6a162c655
SHA1 ee2ff71920e319532a78373202f0b3af92b45b9c
SHA256 6dd4243a47c027a7a23bc43bc769f611b515bae40ccc2085c3f7c976161134fc
SHA512 1ea224be471430932c07d4fbcc19736e93c6a2d8986ca696dcc79fe7313a17b69ae2e616d5bca9dba256bf5ec555d7e335568e92080ab8502dc8b6bd638a488e

C:\Users\Admin\AppData\Local\Temp\Locker.exe

MD5 a83185ef7c03bfe0e0fbe10098876a34
SHA1 b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA256 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

C:\Users\Admin\AppData\Local\Temp\Locker.exe

MD5 2375b71469b2761f181f4e1bfd1f2463
SHA1 0434f0d281498db73fdb76891525cc0f1ea142cc
SHA256 374eab1c5abd8dbab74f74d53c4066257642d485f7508d1f549b7a6a85fff3d2
SHA512 3475d0d999a3841a4e72aa936f5cbbfbc5324b21dfda8cba5647c480a85aeddadbb3665c2713c0bcafe95fadb63276c5154eddbcb6c9d4e2218a188a70d4a0c2

memory/1792-325-0x0000000000400000-0x000000000075A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

MD5 e7cf6700045181cb6889772d0d915586
SHA1 ec2478210baee9d7e7ac72d43b66ce642ffc4147
SHA256 3f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed
SHA512 79f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352

\??\f:\Client.exe

MD5 a85056ecfbf94af8efaa2e9dcec8ebb1
SHA1 f081275fbbdddad10689e185a750e1fd1ca0d0e5
SHA256 e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
SHA512 c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9

C:\Users\Admin\AppData\Local\Temp\autDD9.tmp

MD5 7c30424c525cb64760083e066ca1f77d
SHA1 69c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256 b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA512 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

memory/4308-454-0x00007FFF99AB0000-0x00007FFF9A49C000-memory.dmp

memory/4308-455-0x00000000022F0000-0x0000000002300000-memory.dmp

C:\startup.exe

MD5 12b162b0c010fcc23fa43b03cbb76509
SHA1 a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00
SHA256 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180
SHA512 f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4

memory/4308-595-0x00000000022F0000-0x0000000002300000-memory.dmp

C:\backg.jpg

MD5 aa8212e3f48d35711f219cd9bf1265ab
SHA1 a3b17cc5311f23cc2db204f5b7081cd7d170094d
SHA256 ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200
SHA512 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

MD5 07633ba66f1d47a46791dd4e31dc205f
SHA1 5a6096eb2122cd089dd5c2c20d02079631e074d7
SHA256 cbd11c45f80a45a7219c0590b04185250e1a9b898d9b905837808855c785431b
SHA512 fbb026281e5bb96ac2615747a9d8e942fe73e01f5390b4f43aad425beeb854957691e9b90c2068d6e99b2d6189c5637e4ecb05791f1017580f2af1fb08283505

C:\Users\Admin\Desktop\Lock.WaitClose.cr2

MD5 15fc1622619d91665093a3d6118e74d8
SHA1 5c0f3aa523e9165ae5211267fa0232870f745266
SHA256 1ba900246964cc9e9325dc33f28a403b0cdf38354e69d781c13a8b26c2273164
SHA512 d6bde6b6baa6de983d69a568979b9f238c6c6968c54cb10719e8dbe2ef3e2dffc1ed8ab3c9ed464b0953bb780c8f9cb324c3262f4b49dc83d8064715f2b205b1

C:\Users\Admin\Desktop\Lock.DisconnectPublish.tif

MD5 449fd8034efe151cf738eae0116333bb
SHA1 b2703d07c5aee7039269db6e358477ce1c221881
SHA256 fee060d593815cb8e4541715ecfa56e36fef2440f64fbe48addc9edbdf256292
SHA512 df97a83285541e03b1d41c1f08fcc9172dcf772cbdc3d4389ed44bccb646b7e27958d925f7db87927ad064f2c5e9fa7d12018e0b0c61125461c64495ba5c6839

memory/4388-616-0x0000000002F70000-0x0000000002F71000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS2.jpg

MD5 cca27415b786d200913522217acf8522
SHA1 be4cb7f3d444f6a715a6868243810181fb1eb1de
SHA256 2f18ae84098647ccba038f6a3da82b03b1b43e1f035f4a6d583c63f10d0a40c7
SHA512 b9ead104aaac9da740cbd333fa7afc68148db77cfb56645d5793f91ce4e61d7e42a0f720698eb706efd2a8ee97b7189b8bbe26f6cb3a2470c2a5fdd88af4c3d7

C:\Users\Admin\Desktop\Lock.CompareWatch.docx

MD5 47a9ddce20b4056df9918356f730b743
SHA1 d0d341ff41a956df550744ae7c3619f83851093f
SHA256 90a8e8573bdac723d41dece7e6f51a27d1a39a72cbe6ec8cf6ab5186c7919734
SHA512 a60c0038552da7daaf86774ce30a736b44b7410356fa188a41afca9d5bfe4611272e75760c31b3b95930491bf58e02fa573c79a2df5c79d78bfc4117e9c9cdd3

C:\Users\Admin\Desktop\Lock.ConnectStart.contact

MD5 870af7ea0ec96db43f5d53191f419d3c
SHA1 04e24b224a8750b3735b4520a5922bd399f21d99
SHA256 f2c666b2eba1d10dcbb790e7b7fbf6433f65122be0a1744755e74eacc4a762b6
SHA512 02cf8f74551c1c3d3f4f5417988f13b5aab1bdbd145d1299ef1b6daa03a4d772f8556be4a59c7753b464f1d0358febdfe109a7d1bcb875ccbd55b4a297e84853

memory/4592-628-0x0000027DD4340000-0x0000027DD4360000-memory.dmp

C:\Users\Admin\Desktop\Lock.FindHide.eprtx

MD5 b74e48e141896371403cb0ea648fdd90
SHA1 493feca04039c3d667be93ef6fb42dbea4c07cb0
SHA256 3784c78f25f26f9fec7a50a5c59eea24af4abf2902a3bb635aecdf835e0769b6
SHA512 9aa9c4276c8f74030f19528dbbbd611fe3686c067f05f4ccf2096f0b7ba7583743bb49a37362dc3ac56c2e8f12e53859ae6cf49f2b34e9c1f01eec4884dfb4e1

memory/4592-632-0x0000027DD4670000-0x0000027DD4690000-memory.dmp

C:\Users\Admin\Desktop\Lock.GroupRead.mpeg

MD5 de451bae4bf2925f4ad8c2f6e8798aab
SHA1 6f0134ea859cce7b39df7b354c02da707d296125
SHA256 7e834da22de1cca1a362b9ebea552c8927d5aa0bc8b2b6b1dd07c878e145febf
SHA512 dac930e033e8285b78f13ce70f58b047fb5cc52dac593aeaf0655c9030e2bb7e2e7622f4876663c9f58832bfed6d61c5f08697c7c8ebd15c0c7bb4705dc760cd

C:\Users\Admin\Desktop\Lock.InitializeUndo.fon

MD5 7c77c093e8f2dc4b9cddf6d7b8f53343
SHA1 e72c7523a4dc5fbf4628f62d4e16bdd610556828
SHA256 53091f434fd8d4e8d31377927f3e4b261da5a02377380dc0d944f3c12f57a38d
SHA512 40555c63da9ab8c34a5cfdce848cd4deaae9540d1a69144039a26d50a3c7c13dd43f8ecba0bb06d1274f0e2063ae1ebd6b15f1da899e599e84c6a06754f035b2

C:\Users\Admin\Desktop\Lock.MeasurePublish.mpeg

MD5 487675bd5cdee2a16bd7d89f7397468f
SHA1 e42c8db130e78bcc7e270aad06f6c4ae9b2138fb
SHA256 b97562b6b6432edc1f257513e1d029a4013610f89f9a0d4a037fa42d80aa00e5
SHA512 df6792913ff2b2ce50f96ae8567ddb0c80ce301473cb5d0cf15d09e5dee8062b914c0ca694a855f59ac11456a5e19e38660031c2c1b1cd04f95f4026e516bea9

C:\Users\Admin\Desktop\Lock.RequestStart.potx

MD5 6cc90535e31ae105b7aed16333cfd3de
SHA1 dd4a1d4030a5972a4442935520585c0df2b4c72c
SHA256 01b9254f0c0a829d05998591ba163606f269fba3c045a7d7b82d00e39f3395c4
SHA512 159805e61b21246ca82f8dbd032450ee4f15866b58f6d3f25a441f5785a28ebc978e1e2e7c1dc5a3929b5d7473440666bf74bb7f11bf40cbedf594fb9d25e4eb

C:\Users\Admin\Desktop\Lock.ResizeEnable.dwfx

MD5 7519cf78722f8e4a58ca95278a09d2e2
SHA1 1f869e95694e604b8a9d03f7c9a959803f5eefc7
SHA256 28f1671b83f0b53e3f55e2bfb0d263cd52a8c7200c566bd4f393ac070552959d
SHA512 4c0249e0076fcbe9a4cbcd9356b2489f5195ed69d7ef29d2cd9c5898d74f8a425c7292f87c6150e958fbad97f461b04c7866b4ea5c27cb96314928ad4cda26c5

C:\Users\Admin\Desktop\Lock.ResolveRevoke.M2T

MD5 9957aeb1a2cf97f350cf6801cb8586a1
SHA1 bc98909794e94365aee92a5d3d41401337d2e7c7
SHA256 2fa53e32b9dcd857ecd7bc4a56dadf1daaec0f8695d8cbb44c2fae0be36e1e55
SHA512 f60daf9c19910eb4e4d40ef23ab6f8a3eb32f186c95708e176c2bf560068bbe27ce9cab1a52f9c9624bd8e16a969d4ee94cd7dbdf2d76fb9f15232a3e67c503b

C:\Users\Admin\Desktop\Lock.RestartTrace.jpe

MD5 f525565d82485fd6448e059a2179eec0
SHA1 7e68252c3e8753b65ba2d96c71116070605c34a8
SHA256 d6ac55cf8286bb9ca6b1c3e2bdc9f2fb80e3fcc9ed8deebfc6d6ad5184380ef8
SHA512 b51fbffc6aa6882a7148f151b2fb780f44cea23060a92716fc523d7e4ee0a93ab334885770c34408b41159ffad22aec25aecfe5dd95c05b8f5846559ceb45e97

C:\Users\Admin\Desktop\Lock.SelectPing.wmv

MD5 2a9893f2d43b0770b75e177fb28f3a6b
SHA1 5ee0f4cfdc18ac4b83464def1a9b6946af58ee50
SHA256 154171db589c7720f8db73d9179c1f307699ac124087b5570195ebd0bb16879a
SHA512 7ea2ca122f9a0cc410bc974c405d0ad91963ef17ef29a7f8892f7f682182ff3fe4ef5deb6dcbf55f8bfca1e3029e650cf8a654e45159713dfc6670072ad863fa

C:\Users\Admin\Desktop\Lock.SendMerge.TTS

MD5 42265e938eca720bab84d60678c96207
SHA1 041e094ed70b63e7d60134d0edf6493abf3e11e4
SHA256 7d08b8772e346e0c24935b4d45495c0783d636556deec25e48b5a1606d52bec8
SHA512 081035eb72585c30c653135a462ad4e74db24f044b4112eef10fb91d270366d23d75cd6eb832eee2912c49567b6dd1a4a774a36d952afc99c692026f0712f073

C:\Users\Admin\Desktop\Lock.UndoExit.jtx

MD5 9f8a06f8793aa414be45a186c6b2a723
SHA1 d509e62c5ac1af41bb4786c2b86a97233484518e
SHA256 2a61d6968632f1e77f8a0ae805120d04caf5e02670cdcfd097163aa254c4076a
SHA512 b442cff7c9731eb5ec7dc8199b965b0cb086758feff6e6a650c284083d532af4a48b9c53cd598edeb95cc092597c42701c946d71b1ac17863d92bc37917e0578

C:\obama_icon.ico

MD5 f89f675153effeea979e32716d1dcac8
SHA1 84780277f79505ccf920d13391726741e127a79d
SHA256 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7
SHA512 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff

memory/4308-755-0x00000000022F0000-0x0000000002300000-memory.dmp

C:\skream_icon.ico

MD5 21a8888b16b257c094fd38d09612fc48
SHA1 9ce7e89da63c663987c9624a845144a4fecc3e72
SHA256 e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4
SHA512 cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2

C:\the_wok_icon.ico

MD5 8e1462f2d993e1bd6fd00268623abece
SHA1 67367e20f64d32ab8d1840dedd91d686ac989952
SHA256 ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5
SHA512 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace

C:\ustupid_icon.ico

MD5 6e3e6e1a0f01c0168c7b1fcb4e63a89d
SHA1 785688b7caa8f28583e417a651517b721405d835
SHA256 b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634
SHA512 d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99

C:\walt_icon.ico

MD5 fa516d1d0fce7db4dfa81e73cf74e917
SHA1 ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0
SHA256 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af
SHA512 f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f

C:\xina_icon.ico

MD5 0f111a8457f17592240624b2e80a6c61
SHA1 23b009e988c3a95d9e8ac97e9baf2979dda3211d
SHA256 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f
SHA512 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe

C:\theme.wav

MD5 e4f642067670a4001d31ffb18f481f96
SHA1 538336f1beed8f74a0913454265cbcce4822c4e4
SHA256 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960
SHA512 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c

C:\guy_icon.ico

MD5 caf2b6d49aae9303b222fdd06b91f10a
SHA1 12b967bd3aafa465c228551a7cb2d70f8b9f972e
SHA256 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8
SHA512 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d

C:\rock_eyebrow_icon.ico

MD5 56afb11ebd7367af4c03b065ef3580f3
SHA1 4f30fbf3d5c0469533c1b33b98aa612e6704c14b
SHA256 da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7
SHA512 eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4

C:\avocado_icon.ico

MD5 6d362a3e515cc18d537f74fca1f75293
SHA1 99a5b363ac274e027530fa7a532a007b0e6c56f3
SHA256 c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42
SHA512 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821

C:\speedrunner_icon.ico

MD5 a0bd05bdf6641d55fff217fc45b6e7a4
SHA1 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3
SHA256 c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2
SHA512 bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3

C:\ben_icon.ico

MD5 35ed09899d21d2f9806e5c4eb1411324
SHA1 5afa7972868a84f4e49d65f149aa09dda07870d2
SHA256 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3
SHA512 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820

C:\dad_icon.ico

MD5 8883262af502c220932bbc50979391ca
SHA1 0be9ff95e86e798493f5f067a6dd3ddec9ed6832
SHA256 f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6
SHA512 ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076

C:\whenimpostaissus_icon.ico

MD5 57a21de76111fd67dd32bbf5b8cbbe8f
SHA1 127d6c20da0234ac8bc9dd65391fcfd695185274
SHA256 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f
SHA512 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629

C:\amogus_icon.ico

MD5 43042269818924374a29891d79cb676b
SHA1 f34ef8a688e15efa9c0117816a617892a2730bb8
SHA256 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187
SHA512 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31

C:\Users\Admin\Documents\Lock.Are.docx

MD5 4d3e6bbe44de5513c1733b3e0c6eac64
SHA1 cd3a00fc52b12f900bd4a87482d28021e2787265
SHA256 ce28015b2b93deed2c7569c325e811aa9a0eef29070ae6f73e59dbdee7009fc8
SHA512 11c128b5a2dfc97a57c5cb49ad31841179344bd3179db15c71f0a3bf11cb61101d1bbc2e125baa8532f383360198c7843d01e8dd63c3b2340d77351db8ad419d

C:\Users\Admin\Desktop\Lock.UpdateInstall.odt

MD5 74719d5073111f82434d0a6e91866621
SHA1 87b146eb1b0067d148787c0de5df5a6d3f36ab4e
SHA256 f83119e6dc36294fae8c33829dd7e1c2168ab9f77246cd69cb3a4b661365d0ba
SHA512 cebb9ca5333fc7ed058ea32d9b133ba611e8e756ff2f781bf979e177e3930fdc52f75a02c8434e2b5f41fe484da17a57bc40a279929dbb15da9b0afbdceb9ed4

C:\Users\Admin\Desktop\Lock.UnlockSkip.hta

MD5 d6709da0420ab102b0da82ce44eaedd0
SHA1 602fda0d9c203c97871b3040cca417beb75ed98a
SHA256 61532c2c36f93a44a2e5cf8c4649839a1fbb1659c443a9df4fffb29f3fbc707e
SHA512 4eda62f216b3361c00924ca63e594642e87de0f11bcc00820fc9b684cb63b2184b87d14e95881835bada98c2f9b8ebf6463f60f20b007f73d07e70066b131073

C:\Users\Admin\Desktop\Lock.UnlockReceive.asx

MD5 ed3ab00113151514fc3dfc78d907611d
SHA1 4748e09d287014271604868bec8352f5f87ca831
SHA256 71e6da70a8514a31837f1ebf14c54b1ca52219a67e6f5dc42a2bdf35f92190c8
SHA512 d94d0de1c3ab8fb60057f0163ce54236f0ea79d90001a75c9fffa920df07a8f495f8a3f3e0bc0022452b7b3397cf0a23cc24d7f324ebbbae2323d29d04a115d4

C:\Users\Admin\Desktop\Lock.StartFormat.reg

MD5 ce1486427a77f3cd80d7a3a6bdb9bf70
SHA1 44c37553ec93d34de1bffcca616f79595077ecf0
SHA256 eb9951b35952c025150e1f6d93c17b43e85dd7ed4c255586ff638c843427ca39
SHA512 1146b1acc0a1703e558ab4b547090b7b5d86dc1803f63130a9661ffe618671e99c003eb6aee94462d50a8719f3bf1e5659d2aa896054fd9ad8324368153565e5

C:\Users\Admin\Desktop\Lock.ShowUndo.snd

MD5 72dcba71836be0db3375351ee14addb5
SHA1 0d7a27c654654f7280990b6d86df3de5cb82ab5d
SHA256 292fb5d8e6a929a75a3f9f3567443fee3e16cea13682933f2e77a2a28871db4b
SHA512 8b81bb4a680b344932cce8f821b6f2aa933f760d6bdc1ff08357e054c25e440ec28fcbcf6e05310a5e341f15214e4008deae1becaf982b4145bc2048c87d3d5e

C:\Users\Admin\Desktop\Lock.RenameUnprotect.hta

MD5 ff7bfc3c429b924bf35d4e8eff17593e
SHA1 c41fbdf7380421dfde4bcad416727e2696e9d1fa
SHA256 e03dc6785b36e8de78641684d75f3e186f895941bc3b864ee21ef6ab56caaffe
SHA512 2ece92cf32ec6290663f66aa4a4314b1bf6ab1674f26191c718d8687f679df77330b29f70ab51724c72c1e02f44ce610938fd2e67f6ad73ca1f675287449f50a

C:\Users\Admin\Desktop\Lock.ReadSwitch.xht

MD5 a97330fc33edfd1ae4d88347956c06af
SHA1 0d0ce772df0e9539fa524360bf0905ebff02fa02
SHA256 1661eac8c7dd045c541614ca4f4d1b2db62302634e1489a8c91249755d14dba5
SHA512 ec80ca61c6eff47f98d5fafc6c9c1f5e7b471e8b1279e9fa3627a285cb1533195ff38a53066e635bf781a493403b3b06527251193566463a7d2e20238980dc05

C:\Users\Admin\Desktop\Lock.InstallEnable.search-ms

MD5 54ba53aa3f85b8512c47a7d6dcc71728
SHA1 041b21a04311a95728650be7bac68f2ac1021218
SHA256 bd18f7e68e27d9f5a083cde58c8f33eb2fb286b88eb9e9d98d63f00c9fc2c604
SHA512 440c5807c6f661b3ebe22c2b1ace4f8f5cae731d8eee44bbf91db4c97650d0e40517391d918e4965f04fab3b7953f8a2a8257506425f6dacbd319668e3d35d07

C:\Users\Admin\Desktop\Lock.GroupExit.ogg

MD5 9da2d454d1d5e9a6422fb9667737adf0
SHA1 383b496c833de9b6a184dc66a7928c114d575f05
SHA256 366ca92becb70660c1c016b616514a4f0f383d0d7cefea5a6823a34f1bd4b9db
SHA512 39b80ef268605ee60002923e6aba740a616c08ab75fdf7ef75300bc8438acf66d85ad21d26b6cb5310726f5539f7c5086373e2bf09a8c0ea9ec6bb6a54996863

C:\Users\Admin\Desktop\Lock.desktop.ini

MD5 ba41cfaa9aff58c3b40c7ac73b4d1cd4
SHA1 691f19d9330522a47b16c832c6d6b51a3a2efc72
SHA256 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a
SHA512 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e

C:\Users\Admin\Desktop\Lock.AddShow.temp

MD5 3cf6baa8e347ac0d61125d0d290e2db9
SHA1 590123b897f9e9c16d74027a24acb60624701338
SHA256 539b57b96a11f22963edc81730d9ddef8b6591ebaf9462418e36f4e85e87f5a0
SHA512 e29ccde6a1248f863b288d1212069fd2a3ef7de455a1aaa9e69edf94d8e4d7c7b933555352110cc8949996af3d1f962391459decc01516e601bd4863a2d94b8a

memory/4308-874-0x00007FFF99AB0000-0x00007FFF9A49C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/372-896-0x0000000008530000-0x0000000008540000-memory.dmp

memory/372-898-0x0000000008530000-0x0000000008540000-memory.dmp

memory/372-900-0x0000000008530000-0x0000000008540000-memory.dmp

memory/372-902-0x0000000008530000-0x0000000008540000-memory.dmp

memory/372-899-0x0000000008530000-0x0000000008540000-memory.dmp

memory/372-903-0x0000000008530000-0x0000000008540000-memory.dmp

memory/372-906-0x0000000008530000-0x0000000008540000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 6a7f1f684523639a1abeef520ed75034
SHA1 d04adc28ab2656a7feaa737744e81a4f5d5cfbcb
SHA256 b0631f999f4255aaf8169eaa6d6116ce805465aa5419fdf2013a0c4a6d0ff96a
SHA512 e04e6236936202c5f49131c37e1a83d9f348908fd244bbfbdb78c143a4da9c2141220eaae834bc5aef86f0bd66863d93f5818ac44cc7c032749bdafa2815c5e5

memory/4172-931-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/4172-934-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/4172-936-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/4172-939-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/4172-941-0x0000000005D00000-0x0000000005D10000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-24 04:26

Reported

2024-02-24 04:56

Platform

win10v2004-20240221-en

Max time kernel

1467s

Max time network

1457s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg" C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 5112 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 5112 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 5112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 5112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 5112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 5112 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe
PID 5112 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe
PID 5112 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe
PID 5112 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe
PID 5112 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe
PID 5112 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe
PID 5112 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe
PID 5112 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe
PID 5112 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\JOKE.exe C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe
PID 4384 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe C:\Windows\system32\cmd.exe
PID 4264 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4264 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 2648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4580 wrote to memory of 3208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JOKE.exe

"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3b8 0x3c8

C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe

"C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe"

C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe

"C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe"

C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe

"C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83AB.tmp\83AC.tmp\83AD.bat C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/lFwy2c-5Rwg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffafd2646f8,0x7ffafd264708,0x7ffafd264718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.156.13.209:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 209.13.156.18.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 18.156.13.209:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 73.68.157.18.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.192.93.86:15217 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 86.93.192.18.in-addr.arpa udp
US 8.8.8.8:53 youtu.be udp
GB 172.217.16.238:443 youtu.be tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr1---sn-1gi7znes.googlevideo.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
CH 173.194.160.70:443 rr1---sn-1gi7znes.googlevideo.com tcp
CH 173.194.160.70:443 rr1---sn-1gi7znes.googlevideo.com tcp
GB 216.58.213.22:443 i.ytimg.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 22.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 70.160.194.173.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 108.177.119.84:443 accounts.google.com tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com udp
NL 108.177.119.84:443 accounts.google.com udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.119.177.108.in-addr.arpa udp
US 8.8.8.8:53 rr2---sn-q4fl6n6s.googlevideo.com udp
US 74.125.3.103:443 rr2---sn-q4fl6n6s.googlevideo.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 172.217.16.225:443 yt3.ggpht.com tcp
US 8.8.8.8:53 103.3.125.74.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.238:443 youtube.com tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp

Files

memory/5112-0-0x0000000074640000-0x0000000074BF1000-memory.dmp

memory/5112-1-0x0000000074640000-0x0000000074BF1000-memory.dmp

memory/5112-2-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/5112-8-0x0000000074640000-0x0000000074BF1000-memory.dmp

memory/5112-9-0x0000000074640000-0x0000000074BF1000-memory.dmp

memory/5112-10-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/5112-11-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/5112-12-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/5112-13-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/5112-14-0x00000000017D0000-0x00000000017E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_459522CFAB1749B8BEE0B90DAE653167.dat

MD5 44b87076e98f4eda3393f800003787a8
SHA1 d27f203558974c8e81f6dea44f88742ba4f09937
SHA256 d251eca60f8583f9290a0dbab26fc1975a46004b07ae7665f3de19676c9085cf
SHA512 65e549b413238ea596f7cb1fceba84d5ffdeaae4d390f46405ab9d19b446b8fa8ff5966214731d8815bf7e91478bf3d5c28d76f41322a50fd83bdce099b3b5cd

C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe

MD5 a83185ef7c03bfe0e0fbe10098876a34
SHA1 b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA256 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

\??\f:\Client.exe

MD5 a85056ecfbf94af8efaa2e9dcec8ebb1
SHA1 f081275fbbdddad10689e185a750e1fd1ca0d0e5
SHA256 e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
SHA512 c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9

C:\Users\Admin\AppData\Local\Temp\autC7FC.tmp

MD5 7c30424c525cb64760083e066ca1f77d
SHA1 69c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256 b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA512 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe

MD5 c29e84272de123ac2cae92bf8210d95b
SHA1 1b60b8f5430707ca08d806e5739553cd6cfccf89
SHA256 42c145d05f5a3d20a4df748d488e32f986ef0bbd370dd086b6f431e00a5efb14
SHA512 055aebf709f23647783f034913fd61721649ceddcc1357b4bd34ecd446b059f27c57a16392943000d7f2152cdec51043d11910fae1dd002f043f300d9724ee6e

C:\Users\Admin\AppData\Local\Temp\8x8x8

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\Lock.BlockDisable.3gpp

MD5 670ce5c4194d87a121da131c94358a4f
SHA1 31cf54a5879cd4f379e8d0b2ba73632d3ba2d50d
SHA256 79c98dc33dab24dd6e2a542bf4e4bc79d4932de2b45d40c197b2dbcf813cc35a
SHA512 f2f56dc49224f9f5a67db7061b1a5a02a996303efa5c1c760a7b4151e9db64614ea651dc1c64c8bff2a367f7888492554a9cf2f07b99e78ffe0ec6f9b5d44de8

C:\Users\Admin\Desktop\Lock.CheckpointResume.M2TS

MD5 ae316fb88b863c54a29b0e15f6b5662b
SHA1 d5e94a9b252ce49069323abd08b8b5bbe9975b9c
SHA256 9a892f18339dbbaa0e13ad1dde72069dc799e6cbfa7fe7875c4649cfaef0fdf5
SHA512 4c544a5b3a5613dc1f5b7947b9e64c080e055a954dda845dd5d0b29122e233808329ce949559961d3cb316549b905fc68206b499ab1096d30db284f31712923f

C:\Users\Admin\Desktop\Lock.ConvertDisable.rtf

MD5 25ebc43b01f8fc8a8ec7f1204cfbbe5b
SHA1 61b5c8bc88c0a9635e4efabebeef7a7cabafeb00
SHA256 2018eaf0ff87a5eb0f131736fb190d30f36175b5b3a8bdba0be32fee14fdcf83
SHA512 bf0ee465bb9f60676ef9ef7c68ee53f315e01b6b4a9a4cabbc431c894e3f4c59459b41f664f316230c27462212da4a749bd43b634e56f55f5c2a41481b111bab

C:\Users\Admin\Desktop\Lock.EnableJoin.vb

MD5 2cf2f59713820c90fa1f7754ce5d7d5d
SHA1 352385b66908d1487ab618cf978382c47c9cae7b
SHA256 1dc2776011f24bb4b7b73175a124dd219276993746865b6b597098d60a1b26a4
SHA512 83e0323bcde52c1e869d8348c1d93de2ddaa774b656719b1303445d6792a68ca6502294fe2a046694f9203853a092751f290e6174ad5248e0556848f649a96c5

C:\Users\Admin\Desktop\Lock.desktop.ini

MD5 ba41cfaa9aff58c3b40c7ac73b4d1cd4
SHA1 691f19d9330522a47b16c832c6d6b51a3a2efc72
SHA256 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a
SHA512 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e

C:\Users\Admin\Desktop\Lock.ExitWait.jpg

MD5 8c6e4a130490884531ba75b7bceab2d4
SHA1 d75228e8078f78589b6135695be4d4daf11ae214
SHA256 b3282350b4e22b2945278ebfe4bcb43c6d30919d9ff112448db042d7dbfdc2ae
SHA512 43fb43e7b073de89cb210ff50257024e9798c778c75f6bca2c284a0406913d1f1c7b4322f4f3a30fb42db61e9448c53956d556b0ca5eab8d85c3d8f4d4c1f3ce

C:\Users\Admin\Desktop\Lock.EnterShow.htm

MD5 779e919f02e5aaa87da21602809c398b
SHA1 0233e9db3bafc83328bf486dfb404c0c55e3c31a
SHA256 27c4265036f936110ecc6d7be19656b708728eb1751bdb4d7c1e9fc1d601abd8
SHA512 dc9eae7db3eaa62e16c176e9f17d6394ac887ec10e0f8eb12f4855dfcd729627b5789a28c9f7f10bac5e23b99b3b4037f1fb5a84cd75072789d859dcfbe3b363

C:\Users\Admin\Desktop\Lock.InstallSend.ex_

MD5 f5111f27b4cbf404f5c6536bc1d95fd2
SHA1 c353dd920ac873b3208f62da1715053d6dd9386d
SHA256 5819331f3f938e2a3660e892d8cab9f6a608c42c5f81120b5961aac3181213e4
SHA512 c3c739ca37a4923d828e5f7fbbf88ab6c1974bd49fa8eab08aeb08d87a8f6585734276ba51b0f85a2b7b2d9e51b223b76ce9a0b0f2e6dfff1a8853ad02ffe693

C:\Users\Admin\Desktop\Lock.InvokeJoin.dxf

MD5 4df3abe315463a30290973be76fb21df
SHA1 ec557364209deda25be76a76d39ed6602fc78e3c
SHA256 be4c50325063d823c3bb7a0eae2ba97fcf715e3b29940dfd818a9ceaaa10bb6b
SHA512 0877e14b61c1b9328f52c2dea45754509057280c942796eece17881f70c2ca0ca794fb48333eef57b2b62198343b62791dd898e23758cec140abfa7f3b1a9f4c

C:\Users\Admin\Desktop\Lock.LimitInvoke.dwfx

MD5 13686eb144b2e83ebf4ce666f58caa6f
SHA1 81dab857f42f666750ac5f22e2ab479d3aa25e2d
SHA256 633a9d216ab944c184d72991e2b6b37d3c4bb01287fd35c72155b5c02d11496d
SHA512 75092ba7c4daaea299b798a84b7ead9185461a27f2f3314306e910361eb62674d73006318d9c6d90f00c0cb72bebf4cd253e9d6b246cbf36a29926049d0da724

C:\Users\Admin\Desktop\Lock.MergeInitialize.rtf

MD5 05bebbfa268b3fffd856c60021293cb0
SHA1 732b03919b19ed0f3f1287ad66f93a4184847031
SHA256 f303032b6012242787b672785c5df67b85d4e3c1a3791996f0252a7783d6d79c
SHA512 96953cbba7bba846a2e4da6819a6e54cd11a46e482f0e64f92d25ca72e98981160164e72442a5c78722faaba9009b4f52afbf1e8a698c4a490520ffdc7072e57

C:\Users\Admin\Desktop\Lock.MountInitialize.ADTS

MD5 10e774d33b41b134558007f68c0a1f13
SHA1 0edf654313cd4eca438a6ef3e26662189e48fabf
SHA256 19ffe4e3295187024c02e8d79a8db623a8dc3f1972054bb9b787ea4725340177
SHA512 01da0f41c820aff2fdb9c1ca38dc5827be149ca8ec6be86ffc68be88d5cf8267adb3bcf18c84b5a941397e8856983f096952a9a06353ff520d3c1d262b920c3e

C:\Users\Admin\Desktop\Lock.SaveHide.png

MD5 3b12dc2b8f2fc1f192e7f820a7bad014
SHA1 cc49e98590315a3f4b0bc19d115a60f8c5eb58d4
SHA256 d61724e633feac5099e4ca4a728682697d6ac40764cad414e276f93bd6d6d51d
SHA512 3203edb10b0e70ffaa22712952bde28c3e7a39f09e820bfd5a1ffd061b9587c1a5db6324b5b8733ff1c41813aaeb8e7f4ddb0d5c07ac3a94cfd96b815014386c

C:\Users\Admin\Desktop\Lock.OpenSwitch.js

MD5 1872816f38ed9fc5cc81b66630d3e166
SHA1 b56c195fd326c50f73b9afae8612df630236a246
SHA256 90df6c104bdc99cc417c1897a3474e17aea38d7b23121a2a8e3f77a5f108ef85
SHA512 0165eadcfccc41985cf63f60cff365a0536f5b61558630b1c7e31ff87d3b831402d6679622ce0644e28165f3a8eb47eb024b1c097f7f2c85f272e1de8880b6a8

C:\Users\Admin\Desktop\Lock.UndoSwitch.au3

MD5 7ff6e96db392fda219fe60ab85afa4a5
SHA1 d654981f6493fa2b2541b65ecd4731f96421f971
SHA256 1de1c4f8ff019af1de36a5a89ca2f2722962bf7d661ff67570b9e8bca55df8fa
SHA512 3f3fa4eb6e3d0fad544fda8908b9a8785fa827cfb12a5ac75ef12f3c3954e4732bcec6e3aa561cade899dbff95bfb97aec85b066259abd3bebfc8da4554cad4e

C:\Users\Admin\Desktop\Lock.UnprotectSwitch.avi

MD5 20e48da4e87fca3be6f53f3e770a56d4
SHA1 c927a481278fec44c37c12ea1ec56aa0c5ad183c
SHA256 4e3a1316f36fd03d48c74d36107db5dcb12edfb6e44a800c1e03350d0d1b3065
SHA512 862e1800e7730b1036e58cd692e08f5a9b125a351f19c73e22a5efa8ac4facc5bc7d17eb7832ed391fb88e59d4d2bc40a59136994d52360920f1f6b225c95e6d

C:\Users\Admin\Desktop\Lock.UnregisterExpand.doc

MD5 93bef71c4d5323f73d02956b9ffcdeab
SHA1 3d8a46b36d846dd3fbdaeff5af5f3e37c92488c2
SHA256 ede62e14b45cbca864a41faeaedc684911d220207d660dfb1cede8c26879505b
SHA512 a39d8846b3aaa7f2381d3ffc0bc73248bb322d584a6f4c6d902248530b5ff2e87f889d0abe473c9a81cd3a2cbf0046f435c6ddb6adc9beb5c98db2b37fbffa11

C:\Users\Admin\Music\Lock.AssertClear.tiff

MD5 ce4181f7704f6587acc916d412310594
SHA1 0b96c98ac284dd647f287f1713e8830eb7f77383
SHA256 3769d6626332dcb313093b9d6d4c02eed7ec735e456b9317a85d66641a043696
SHA512 e2a56ff5f65d0afddf96c0c4cbe3c58e3e1b6c3533eb420803f9bad293f61fd1fd6528c8cd0f3dd065d555a6ee4b0495ed2222352df6e7cb6e837fdabba29d04

C:\Users\Admin\Desktop\Lock.WatchConnect.DVR-MS

MD5 cbd97ee42eb43c4ecab3daf8523d81d7
SHA1 7a466c5202f59cea78a14ca9834e049fa722139c
SHA256 49c07abacc76819b319de36a42a5acf899380045e176d88dc6a769530450210c
SHA512 c39c53e9bab188c9c38cf2fc319a49399c64c5fba4c301837d44568f192bbf44a5b338f09b6814a1d7e5b5dc1237267f373362b1757cc9fed8eb71f1983d5933

C:\Users\Admin\Music\Lock.CloseAssert.scf

MD5 95e18724d3bcf477d57cfb90dbb159b6
SHA1 1bfa67cc71ee4403afdf809dc050f9bba9e26993
SHA256 de48fbc0186f32b16a7cf7008d5e55110e005301eb2b761197c7acba8dc96cbe
SHA512 71586748185d2a15ac8be39602284182d6dd58b93db7a9804dca603ecb3a6caf4d7a684b87234ea846120ad756f1e6c7333b56ac4af552ca49760de7f59ba5b1

C:\Users\Admin\Music\Lock.DenyUnregister.shtml

MD5 bb5dc44b3ce2b78acc226129b3a0ae20
SHA1 ef9c74e219887916767c3c3f193877ea92af68b4
SHA256 6852b8d34c5990444ea9897a9c394429fd629e7ca563432ce7703d378550f5f0
SHA512 12dc871ed50fd6c55819f9b98ad62c919cd3c4863d2cf66ccb54b959e317b5516ecd62e4d890fb0bbc6999f4201b97304259e60816581858d86aa454664971c1

C:\Users\Admin\Music\Lock.RemoveConvertTo.nfo

MD5 96b5a3678117daa1e8862134b892f5c6
SHA1 0edc6d3aeff385c3ec6888c8e9a2a79962273446
SHA256 ba90d46df1469eab5793b8acc4a4d0fee2ea8a712b961bac35e313a7a553f920
SHA512 3daa36dc5a63edb90438ce317372e17778ed1642fd07bab12f2fdd63e687c4fa8391396b98aea2e67a4da6c0f0b9c23c58f3c57207f07cac3b347b2816f4483d

C:\Users\Admin\Music\Lock.SetImport.dwg

MD5 59c04cad3316d960ebcc400b5c96843d
SHA1 e5b6891bedc7a2ac7b1b6b9bcbb061edb005754f
SHA256 8eb88a3a7d0f55d627272b56d54e2648737a76e95cf4777ebcb7cea563df6909
SHA512 9bd15882cbb64653372172b0fc16fa9ca8173f0ea82cdb65b230da55c982e357a6d87c0c22472de2dd1379d5bc7e14c3345e0e59f7acc1b0521adb209b89492f

C:\Users\Admin\Music\Lock.ReceiveConfirm.zip

MD5 17e177157508a2a2c2e6f8ce27a3d8a0
SHA1 bf6b4866c65dd6f4997ac180b9d95ddc89f47f80
SHA256 ed40a8ee9117bb8f503a2cb353a26d31758336204f42a67ace01acdff1fff36d
SHA512 db1de8098e56cd7fbf66a345faca50c380fd04213648eee438aef70300515b7f2db076d555ef908077674e72ff054a50987d354a4a1bcce23c07e8491fa910b5

C:\Users\Admin\Music\Lock.SubmitComplete.wmf

MD5 1e91c983ef561e87d3829fc9ed213b55
SHA1 265c693d29956ac9707553dcbbe34fa8b3f6f41c
SHA256 5679e3bfeab5cd9d2df8ecc0fe7db8bb47b2bd9a2921d9140ea35235fc5f0c37
SHA512 b6a2c68be9d800794853be8b669bac3271f3b19743c3ebf321ee76767d81dfa256a116824b9181e8ed79f2a31cbafd49af48e7050f86fb4c34364f152533eeb9

C:\Users\Admin\Music\Lock.UseSave.mpv2

MD5 ec6d5b742abfdda78e238aa765e4c6a0
SHA1 58c1ffb9a73b46f95f489b15d2e4f6d889c254bf
SHA256 3da1657aedd3a02d852903421b3e1d992159801eaea77efffa6f8746ddbaa552
SHA512 8deb8bcd44a6a42d52ead117f6d60427f2443ff5b2472600882f633a8c970c4c638f0ec5c75684a3cabaa0601b6bf9df33e42fbef0f2e657a0ebaec0a4479b25

C:\Users\Admin\Pictures\Lock.CheckpointExport.dxf

MD5 0f0e2dc6c864ff9c249f7b2fd01b5d05
SHA1 8f4d3030d885d441fa728dbb9e266e49c57f8fc7
SHA256 2ba9cdf9f101dc7cd11ebce84d61eb03246c0da045c9dceb6c2e489105452a8e
SHA512 5b13dccaf7393b1f286533208a0468da34e03bee08e6a4af192743941b03b04aa0bd9bf0d618c1d51269f1e329ee2aeecd32b4a2a829576a2c3a2d3bcbe15000

C:\Users\Admin\Pictures\Lock.DenyConvertTo.tiff

MD5 7f4a73b8b8e8f80c0ac786f6a973ece7
SHA1 e55e9e4f8e52077b801c82c27aa54c433a636517
SHA256 7b613b39dbb4f685955a1a3d60f7069125f9d50cc177701ea588488e38956a22
SHA512 a1ce5284f5059a7137a63f8272cb02389fd6d0a84cb82f20c63aea77827c1e9449f30c6204a24408e1c1ccf99ec7c1907c7ec4d41dce2e2a34693e05cb53edf4

C:\Users\Admin\Pictures\Lock.DebugHide.dib

MD5 c5e7138589ce54699c29de21e69ab781
SHA1 3b4d951e2f92ecf092fa39d1615ef2cfd2c8d915
SHA256 2cc6182a2328b3d65a16ce4425c4cacefcfaf4bcb398c06479f5183fdb5dd0e4
SHA512 4e1f1108e70c6b54fbc3f0657c0328ad1bf9d78fa3b044b26152c7258d33ca9577cbb555eafee2fc6716b55658269e9645ae5cbefa65d22bed4dbeb4f8914c93

C:\Users\Admin\Music\Lock.WaitUnregister.rtf

MD5 e371d4e66cfed323c34d3de48e89876e
SHA1 c4320df72cc46cfdc03db7548a7666322aafc851
SHA256 2adba86e1d85950569faa0b5680c038b68c84f492630f5429825468ada0e0fd9
SHA512 b2d799d48e3be8d6a0294d9d9f884ac3fab98f08c86c824af83530df56f93f90a3f9b5bd813028471c43f8ef85fc608dab29ad6c24471066b05ed473d01076d5

C:\Users\Admin\Pictures\Lock.GroupSwitch.svgz

MD5 1a98bce6b1dfdd56e3c12f31a8b0f764
SHA1 31bdbce586ae20443b08ff33e0147d658af7317e
SHA256 ede6412dca7893b2dbdb17d26c39ddd626401e632e2acd9844aa1d19b4cc0e6e
SHA512 183220f947a071f448169c6c5e76526f6d189e8e295e9ab1c9a4c59ae2cee1f6c515a3fda47ca75466d5fa028c50e17e3d9f3842b86fda55fc37673d43386c7e

C:\Users\Admin\Pictures\Lock.FormatSend.svg

MD5 fb7554a8e649d2101e5cd6d87aa4b6ab
SHA1 a31158fc6bc8e6a25f9d5ca8c5cabe385e320263
SHA256 dba95bb0472e5eaff3c56983b9fced8dc179cf9a57d6f4128dc72d8d97329e7d
SHA512 209095ea49097d116be4736853ac11d9b60feeba89c9050b81b27f14065c22f3c897eed4ed51d9ff2c5ae2761ad88de9765cf0bf3158f697e96b4fb281aff6f6

C:\Users\Admin\Pictures\Lock.ImportStep.gif

MD5 b3cac7b65e4e77fcc2d7f58c1adee71b
SHA1 cbc729f883649e8b0d9744e75e3498150d3e0893
SHA256 8d0a9f8600a1514359815715f2891c546f3b90686f9764a83c8460bc99cb5de0
SHA512 b95831276a6879d0f4f72150f05760a6f3770f3d8e8c81a4e451edbaffc494bd413c2255b971b1b6f1f324dc83be80803f85039c761176df9c6e79db6d0e0e70

C:\Users\Admin\Pictures\Lock.InstallUndo.jpg

MD5 c108ab58f18749e5ff1792e421f2307e
SHA1 d8a06702eac850bf284ae75c9172403a852255e9
SHA256 530d11fe1ef783b2addf0a65d76a033664304352b9ac7606cc657dab4c8b5fc2
SHA512 c325a726239b441b6eea09e87bb40f03aa8a01bacfb59de2db1bba393b670e445f8fc44ef5f5a685d5a7762d93d339ce07e278f787d2b6332879fa870e0a0f94

C:\Users\Admin\Pictures\Lock.NewRestart.pcx

MD5 01dc54d761bacffc7f71e42a07fb74b2
SHA1 4e110677d859737503d2b62610db2c25325526a7
SHA256 4a05c6f7362c987a312f23dff9a1429c7b0c7637a2dcc8067f8a6327b65b3619
SHA512 170ce652a7eed16d29e029048a29bccb04d05dbbb774b125b9dcf7dfd48f48c78b0a0527b0eab5df549b0a0822d4d7c7287432e7d078373b4b6a889006b73147

C:\Users\Admin\Pictures\Lock.OpenExport.bmp

MD5 63db378ef5691008e7f0ff77ec5a4374
SHA1 12c7bc7ef5723f1a50371de0bdc20ed53eef1b6d
SHA256 601d6a8c25023295925248a5982f7d166dd188ff37e82c445f4209d2f75c251a
SHA512 0b41d57e1762935a0c8a18dfcc31c3ae2406da613a95db44f8d1cb8b236fa8471abc3f97eec05f7f7ccfd36f2dbd1fd7c93b15b3149598e744a4425bb7f18132

C:\Users\Admin\Pictures\Lock.RenameResume.dxf

MD5 66db7a1cc9137b0a2e3cf95185e469b1
SHA1 819b6b801c17f4b68c2daac33fc7cb72426794e6
SHA256 e0b77e7e459bdd6ac3e4983193a6b83510784eec83ec8c57036a8fc227f8a818
SHA512 f3f1672c9288775ad96961bfd02355bef11604728baadc5e74e8aaa8234a273f205e5ace788d1a308a0d1cd596fd336a9900fbf6d4ceefdafdba6d3cceee14cd

C:\Users\Admin\Pictures\Lock.ProtectRead.pcx

MD5 f4e7c810cfd95a2d4886196e7a8ddbef
SHA1 b70b0e3a8eaa9362247da96c3f003e2c26415a42
SHA256 25da1942da4ebfda3e9f056b3f266bc7bdf6204d25bdbfa88676b016ce01dab3
SHA512 879e93cf31b397a4e9b17b69d6486cb7522df3ceb8760b5a4f2d7ba5dcd32d2b53b186c04a0affad07275b907c6275617b1f4514b6d11489b59cb236a647cadc

C:\Users\Admin\Pictures\Lock.SubmitDisable.dib

MD5 825cfea353311864100ca8076040a1ce
SHA1 161a28045a2b126b9adb877b7a053e4c0c4d1402
SHA256 c3d35c590b3ed8986500483614f76332f80900f01a8e149cdafb86cf5fad918f
SHA512 b01ec5b024a44a9adf361c469709a661e4cc5364dc18c7b883db0d9fabc63896f807c24bfeda639a6a37b2fefe79308b17a0f1f6a5ffd392d3f6fe974994b611

C:\Users\Admin\Pictures\Lock.TraceSync.png

MD5 e51770b73c22c76ea51a988ab04d5948
SHA1 56f2fb409015a8b37069a1c5e774267db7b0835f
SHA256 62bf0865003ce56a745cbf45d8ba50310ef5c65e5ed0c1378a652edc3701dedd
SHA512 8613c61bce68749721ec46a80c88c4a471465f8d6f56873c033febe78561481fb24d8db7d971365975ca6f0c37db986b261be106027b6678b1468131eabe9c71

C:\Users\Admin\Pictures\Lock.UninstallUnprotect.jpeg

MD5 e8a956642311b524fbfd3c117ec5de66
SHA1 3f0b8189394abb0193820dc7f8112f358b295f83
SHA256 89111681ec87429bb45941a302712f1cd3d9cfa49b85ccc06f0080b55a1f3a96
SHA512 7b3643f2a67fd0bdabf5d6930428d36a43f4ef589a2c968c731486e4b3c6f34659e1504caeac9bc328c570711233b14a53fdd93a0ab68505ef85ad2e8a7e0864

C:\Users\Admin\Pictures\Lock.UpdateRestart.crw

MD5 2720e9c59aabf570bc056392453291b9
SHA1 5f50a53171d423277d9e8ca59f49fb59d6c10ff2
SHA256 494e5c6913bc06ff06f6aeceae1dad855e0f04b5600a78581b7fa454f3f5cfba
SHA512 8303c9505c48282a9199a478e75e9b025742724c92990e15d07a1d403be92c148091be39e806252e08150fb52d4b2c23a68f036bb5e267dca9356ed21c0a9525

C:\Users\Admin\Pictures\Lock.WaitTest.png

MD5 9f217e92a66127e03efe8bbd34d8f459
SHA1 d9be7f77eb3f2d644cd5e59a526c21e1466b37a5
SHA256 a00ffa9e44e492aac923589435605b08867d6879505fdff674e6eff7fc7b2be6
SHA512 3adca829d0eafa4bc362772ceacf079c072ddafa94be1ef6a75c022b5504d811f99a5e13537f9b1d56da3aaf47864801d3ba96b7332754d3f129cd2000d8ef97

C:\Users\Admin\Pictures\Lock.UnprotectDisconnect.tif

MD5 41443f4b22ece1644cb267408fa1ea78
SHA1 0832b753dbec2a160c8023f5305276e540f3e06d
SHA256 23bde15fbd3962099365b5bb0e2cc62d4bcfcfa25512543ee28473f5a6d61e4c
SHA512 082e5a625f9bddfaeeb21b2ebb583e53d517d016d630a96b3ab786360332cb51b9b7eeeb2a84756d4b566eb6e5ebf61868b74b6c65fa007824b5f2df6e453204

C:\Users\Admin\Pictures\Lock.SwitchWrite.jpeg

MD5 40f31a5d05de963ffe25d928382a3b25
SHA1 f407ff2bf10a6aba7568058198a0dadeef48d132
SHA256 b173172cdb720529b761a8ede8f253c6afd5fe2dd838c236c4c25a3eb27b9d11
SHA512 ff2eecb7252bfd4b2186facd9ab92b3eb06800500b745a66acd16024f90ac8b2f2e4f573730d74bc79856a30e67d80d931cf21ba5eae8eb1cf4598e8ec775df2

C:\Users\Admin\Pictures\Lock.My Wallpaper.jpg

MD5 1b7ca3a5440ca77da9aba7b158022c3a
SHA1 62d6d1ac8c57ef5c44b3cca15d63bf4868e2eaf0
SHA256 c415a2920a393458b1f36fec018094747e4352dab5c60a0083d6b325eea53640
SHA512 f40b728afc1662163e3f248cce074a199f4ded69f911982ab71cc20a5e3be0eef56fd6f7cfb144307d5833b283063f58794cc9d9d21295c5457e6c6d8e68e6b2

C:\Users\Admin\Pictures\Lock.MergeRemove.jpeg

MD5 e06b2e7ec8cb9e94336e356074af7b78
SHA1 d3a0cd8bbe45d508196d364d16c2f00350da0404
SHA256 aa1fc0dfeedbc5ae3c28ac124f7e7cc29630965f5df1da37fb294f888f88e870
SHA512 ac9515ec73dab9d4e695c83abd69cdb5468ad781dd782cbe41a6dda418fa96de121a547d16f59c20dcc877f0a804918ee0f8310a6ff034e72129ac113bdb2b9c

C:\Users\Admin\Pictures\Lock.InvokeReceive.png

MD5 c089cd2f24da3c201b1141da2eb5961b
SHA1 97718822cea7a7a889c54d794265f63889aeab6d
SHA256 e8f1129d8fd943ac5a547d5418fa6d5e22486a556d981c84e8ef8a436c426b89
SHA512 0a61229fc14685f6bc7542b3d50304149600cd4124d92e26e005c248d3314865dc309d3b0ffa9bd84a1be2d151bded776cd2dba71308608d9a25b5b6083386ca

C:\Users\Admin\Pictures\Lock.GroupWatch.pcx

MD5 62d1e273292b740f90eb8d602055552d
SHA1 56be959b70a6e97ff37e96a8304178d0612fe552
SHA256 d8823df9a0f7f738294032d3886c977e8ba2df7c02933e9e3bc7974992f9eacd
SHA512 d492d583a58c1b5987bd0b775824afad19e85ddeb90221ed2b6a4fd79c4b86b55d847f705b9848b9f54426b374d4b1659e9ca992861c8f1c67e245173eb1ec4f

C:\Users\Admin\Pictures\Lock.FindProtect.tif

MD5 42a3e6336f95a994f1291afdd61da731
SHA1 f344ef09048fbd00b80c02142761ecb286b08195
SHA256 492d9ad266efeb68f28a5ce7208852a3fd08f551ab2243169128aae0c24b3625
SHA512 7ff4ddcf969b413da3f06f907c1451284b0e8e9077b84f6fecb69d1afbf11e557343e580fcdc69ffe617ec33f6214dcbdcc81e1dfd485f9ec7ee4c1fb17731a5

C:\Users\Admin\Pictures\Lock.DisconnectAssert.tiff

MD5 4176f03c5422b607fcb8bc65bde57d79
SHA1 55a18634e6993f98111204e290b0feaec1cb640a
SHA256 4bcc3dabe723f053c2b1bf75ac164023fb0cb38016b26601dbd38a4ced7f0345
SHA512 8089920ced1f5c69eee9856ed11c399610e6483e2c61b91dfb93a86b7dbe7af540b42d965b069fccbd06c1e5f79e2e4dda1f353d89dc3d605c7b3a0197b06ffe

C:\Users\Admin\Pictures\Lock.desktop.ini

MD5 82d46e91be16a17eb99f24cac1768f01
SHA1 d1cd482829c5e89d764a36af5db3b23535b0d8f0
SHA256 cb4e93277081095bdbd95f8bd745a80700689bc25483259ae9d970a2c72f076e
SHA512 a403d5ad7040fa10b999566ca1d417361d4e833ed2d91beb993c5d8f11ee4bb5263861075b484dfc999cc58354b1b0c071405fb993819431e0df6893e01589c5

C:\Users\Admin\Music\Lock.TraceDebug.ogg

MD5 a46c29c847b9a8fd734d0e5be13939e9
SHA1 1ccafda04fefc719ebf8805bc74ebc9943c386cf
SHA256 e423d06ff02aaa9242c9ef064ed41d7e86a58eb0085c3efa545b108e9f6e8a33
SHA512 4f1e33145d0767fb65b7f7a19da2cafb700c15319354f9c30c943a09da1883a4913e1c8fc4734315842f1de07d5694dfb44e6dfcac36b1ae5b9a1ddf924fe40b

C:\Users\Admin\Music\Lock.ProtectWatch.bmp

MD5 1bf6d374ac487ae79530b7c9823eb2c1
SHA1 70547affb6e16ae9da40a81fb09919a0f25cd047
SHA256 82a9bc9193914f244878b5a09b10d1f4a4ea30af3d8c41dc8620e545b5e718e4
SHA512 e46b1463b46256ce415068b8362da7a2267158b449d3a9928fab8dd7226d201178bfa4f256a6257008c3f0ef8383a41bb6f3b5349bb595a71721f8cc222ff9f7

C:\Users\Admin\Music\Lock.InitializeDisconnect.vstm

MD5 6fe6a8d3965adc7ce690c5f175dd59e0
SHA1 f37f1b47e1694b7b33213bb8c9f223650913f6f4
SHA256 03f96d5f7d70289f2960930cd26fe6fcc3d5484e08556f582c40e5a1de9e2bcf
SHA512 d9560ea2a45d391d2b20a4dc9fbd54ea46ab2a40145f8e59ab26b34eb5d97c7baeb0cd057eff89d06349445ab9ba815c5c112dc488a4ce71b211aa12abec427f

C:\Users\Admin\Music\Lock.desktop.ini

MD5 3e5d2582a5d0c915afef6c8cafa343d1
SHA1 7062928a2ec000838f78dce8c48693a1859471e1
SHA256 34ae08d15c34e017facda7c39f7b5f9e8cc891b160072b908969a1a2523772aa
SHA512 2cb2f561be74448d361099883ea4fdb9a1ea17a82970459fff7e35802617726561b52955b147d5fb23d3a3bb3d88539af645886c2d0e46716fba5c641a2b90b7

C:\Users\Admin\Music\Lock.CopyRequest.TTS

MD5 1e6f1502f6f316a0089f1afea42c5e11
SHA1 6e905bd5e1b2776a532a5ed9a104042a608bd303
SHA256 e9a641985c6bff968da64e2dfa44fafd6777d5c9dcf654515151e0ab206d0b4a
SHA512 8a036f9ff4d6c1205655bbc27f8bd61ac653070cb3c2b96439445b26b03d7f77e7271ff20c4061737236b30be77026a637ad1001c7bfd31e9361cb0c0bae0ab3

C:\Users\Admin\Desktop\Lock.SubmitSelect.ex_

MD5 144730898b5536c7b0bb9e048f77ecdc
SHA1 03f63c3af37985da98253a7b40883926b9f0b04f
SHA256 8b526a9f0c224182380ff9ec9f324bb7d6537248961949efdaf039c394b945b7
SHA512 5e0f4b1741b12e9df86b311e2c1d5479851342abce4469ad5cbda55c5155623eb2d202019d822159d4a7b9ee8e692f2c33e45775e14ebc61e338d44cb8e807e9

C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe

MD5 dd15af9b32ea193e0c82887e4601f2a7
SHA1 bab37b838bc1d858906f1ddc66c5d1168320d192
SHA256 7189f55b3d5153bd190991dc5e3349755e300fd20b0e52a34e57579e20308888
SHA512 f51542a4f6ae0d92cfe18afe4ff64c4961e04e24f2fa88da1adcaeebae28928c63e3d33e975fd413608fd3d03c5111340dbd8c4ff6a721e72154f5b7c5a54688

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d4c957a0a66b47d997435ead0940becf
SHA1 1aed2765dd971764b96455003851f8965e3ae07d
SHA256 53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163
SHA512 19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 343e73b39eb89ceab25618efc0cd8c8c
SHA1 6a5c7dcfd4cd4088793de6a3966aa914a07faf4c
SHA256 6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223
SHA512 54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e0d65f3ed65d94a4e42453fd53591983
SHA1 c982e5e2ed4a9962dd962069e83ba06344a03289
SHA256 92a43f1875f99920a6a1a7b42e27dff46713feebdeec737ae4bbec1497bd8547
SHA512 f68106700fb6dd1bd7156ee90bd68cca841281d21e6434c10862a921d03249474866609305c34b455b7cc4de4058cf007b5394901b667eb83db65bcabd434941

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 20b13bde8196595c4daa8c273922a9c8
SHA1 f00806eef769a0b5172797758e1fcd9779efa09c
SHA256 746ac70fb00bc228862ac8337983b570c77a11060ed4ca632331ecdc3e0aa9b6
SHA512 87394535fb4aa9b15e9b283b92a5ce695fd72c9169dc0fe2dbd970d880fac11e7b9e2f437ae598a7ff11a86f8b15332cb5b5c9a77000748e9619e5c58a6fd524

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe6090ab.TMP

MD5 3d9ce96fa073c21716fc39818e029d60
SHA1 9a2faa681910d5caea681b73ab33e8e8c6b5b828
SHA256 13369da4514ae936859c22081732afd4c0a404e45c58212f81e5cfc3009290d3
SHA512 da47a39d074ba83ca2dd689d18a8d2ab2b5e4689a0dbb85508afcd169f1716f0139ced7aec6943cfa0f981507541b05c5ab9a8e9ca6b0dbf5bb5fe4d148e26e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 5ac5e879daf311da068f1f12f7e8ac02
SHA1 54e9c695a72eb75d47e39409e6b12b25091d46b6
SHA256 5e5e15bcb4e81e20d0b1c9f28471bf6ff087e078fea1df0f253341515d72c7fb
SHA512 2d22168a5d388c8457ed346e611c6569fd34dbd6ec8343704fcda8882d0507a6da2074e058c4179ca9de2af6f5a1fbdcbe76786084ede32af065b5b31fcd1fee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 36dc2f1972327245f7fc4ff16ea03ef2
SHA1 97fc1741b65d725c8a43f9d57bf57fa8d55d297e
SHA256 41a02b538d31d4d03897c54d17f0623e6d00493eeca92bbf3b68089bf63b04a3
SHA512 6b41cb3cb6744b93b164f952595d442665f1b4ff303fcc884717f8a02385689bd7e09ffa742d51b006b568b49a2123972b0b07360e045dd82cb330ab6fad091b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2dd43321fb553783be010f3d92eef1c5
SHA1 e49b37e0f897d47d7d1974b836ffb56216005267
SHA256 78bf100c1c7e4c165b0c4b8a45e79955a466ce9a42920de745ddb000ba0e0cfc
SHA512 7da729d0b8b8b795ff9aa0b21b4988a8f7a1b600f52e0ebe11ad77a52e6c6f1fafd66cf730ef70de0fd1b692ddb6798cdaf0d0c6593cf57c9cb88a9f2e7ddfb5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 41ef8dcb7b8a4d1d49e1a4a190d5bae0
SHA1 f67caeb8ba970cde0543fac7dde0753466289da1
SHA256 742820aee2f229a872d99e787273a4e922ad770b9693a152cbd9ec293ea36207
SHA512 fbe3cf0c994d12cdb159a385bd8560b30c5c43ca06fbcdfdc8f2b204620dcbd7c6dfdf27d68393d7109df434b57d1f3f34bf5312aea77464d077c0ef0f71109c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe60df96.TMP

MD5 7d911b7826da476a75982742da6ae581
SHA1 e4b65dff5c13baa82e6e388369bd503dcec1f9fe
SHA256 a9c341bd3bd276924d54712ff8e5e6275fb5ab80e850f402499cfb0233546b86
SHA512 38d176e7df73f9f10dc68b92191df1092dd2c6098a3b6ce83afe651af792f79ba726e56986bacffdf1be497bae96db53fafa449fcd0b3e254a190b75920711f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1cd3f2032aeae03060fb7720310509da
SHA1 e3eab5a1e13ef44074d890d28a59b41af74e0a6e
SHA256 8836b960bb0555c17b5c59de4c7863e4921611b7c51513b98041c2451cada871
SHA512 489a6ffab3cc5749a8ab48a755e2203feb834f9140e4610f244b48885d0c3688a0ceb440c9918ad42baa72133ee15d3b3d4d8bb57ae6c01088f61d10c59c7678

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\235b360a-ec4b-4ddf-a580-4b51ecb43d33\index-dir\the-real-index~RFe60e5c0.TMP

MD5 b84a6dab6c5809ebeec4ca2b63576c42
SHA1 6761b5ff982d02bee43da80c17ae083c0f92922d
SHA256 bfcf6cd4e757b46ed6655e60065b70aba12d3c7440dcf78d1477f6bf74bd1d70
SHA512 b04d48bedd4b6b270bf6fd4b95cb493833f30653a099ef81c3adf766a6e127dccb481647e73e8e517f8b244442c49e9ecc9d40530f4174765fa21a340abee9b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\235b360a-ec4b-4ddf-a580-4b51ecb43d33\index-dir\the-real-index

MD5 a19d5571b4682353eafe2879023258b1
SHA1 bcd0930d6332286d117e9545b5d40a5fbac6cad1
SHA256 af95a2d4cb695ca80548f7bc6a0fd1410a2f60f38461fa621b4b2ad7678c5e98
SHA512 b8179fb18d3c586e78e0c66434dd8e89f85c4e47620a979b428d36746c684ea9b8486240953651dca8d0d507b7d388c53f130fe34d380f5a1293bbfcab2d6e55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8b69bea97f2f56cad86b243fa9a84b38
SHA1 adfb6bc33b41439b2d88d0cdb47d45f27d680f24
SHA256 ecebfbfbb96b9fcb810bd89ad47464078a9eaf09c49bdc03ae4270f0183eb09d
SHA512 479789a7d2b2076653932445dff1e4289fa55ceb7207bc1a9151898c92f7d65b401338433c01040b03b7deed18f904a9c3365ec43f11600a9e88ce2e07deabf4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a9f484bcf45d89ae043805a179bc8177
SHA1 bf5c977c8ef16f5014e4df7e602956d8f83d80c5
SHA256 77acc6439f430946885e77917f96d85596e205e0e761e918c479dd12714f19cb
SHA512 b59b11ec782b3a0a7fb6af737f3d6dbe50c5845d9c238a466bccf673ba7ea50c26dd0279261e4e99173ab66f388ff6dc367a8cc55796b5573a4cc995aca06b78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 87c054e5d4068438aeac6aba4e20ede1
SHA1 7c8dd1433f81b525091a2f1d35eb8d3f99e423d0
SHA256 25f0b0d3e54c289f2f5e39ae1a77aa22c9a9058674e15bfb31f091f7b72f497d
SHA512 6e52f217b395404e32394d3b082e215c039ec5516283669282cc7881d3404264b26bd4c2429c4383383dfb0f553dc85f5fe01de78b1276cb853b3bae3dbc54cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 871d7cc1d1f6eb4e8f9a3860f8d5d2e2
SHA1 d787eeded82a0d6d1ce805e968ca78e06d42b8b1
SHA256 a062c4fdae4bf2c6da41c40e0f9219073434d08ca0dcb3e10b17bc4f876e3eee
SHA512 07ce0ec1d9d39b71cc2320c535e813e5726774f34530d243d69f5500bf6a199af4073d7902c5d270baf58ba4d5777779cd153fbcad558f8ca5be0fb3ee340ff6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 90a027910889f38c7b2215bd4dc1d74a
SHA1 62553885eea7d320d875f16b7a459f04ce8a7af1
SHA256 57ed6ddde35d6c6b3f63f781f0def4862df4d21c6727c9f01ad7bc3b50233e36
SHA512 12a6f41e9e2fd2b944e94909f7f4f3abd79809039ba13d3b19a65788b92a4bd490e1aef8a1c3d8331852252e5b29e2dfbdb5c72a601aa73b37449d56121d5dae