Analysis Overview
SHA256
e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
Threat Level: Known bad
The file JOKE.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
UAC bypass
Njrat family
Modifies Installed Components in the registry
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops startup file
Enumerates connected drives
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
AutoIT Executable
Sets desktop wallpaper using registry
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: MapViewOfSection
Modifies registry class
System policy modification
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-24 04:26
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-24 04:26
Reported
2024-02-24 04:56
Platform
win11-20240221-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 2548 wrote to memory of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 2548 wrote to memory of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 2548 wrote to memory of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 2548 wrote to memory of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 2548 wrote to memory of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | C:\Windows\SysWOW64\TASKKILL.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JOKE.exe
"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.126.37.18:15217 | 2.tcp.eu.ngrok.io | tcp |
| DE | 18.192.93.86:15217 | 2.tcp.eu.ngrok.io | tcp |
Files
memory/2548-0-0x00000000753A0000-0x0000000075951000-memory.dmp
memory/2548-1-0x0000000001AB0000-0x0000000001AC0000-memory.dmp
memory/2548-2-0x00000000753A0000-0x0000000075951000-memory.dmp
memory/2548-8-0x00000000753A0000-0x0000000075951000-memory.dmp
memory/2548-9-0x0000000001AB0000-0x0000000001AC0000-memory.dmp
memory/2548-10-0x00000000753A0000-0x0000000075951000-memory.dmp
memory/2548-11-0x0000000001AB0000-0x0000000001AC0000-memory.dmp
memory/2548-12-0x0000000001AB0000-0x0000000001AC0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-24 04:26
Reported
2024-02-24 04:55
Platform
win7-20240220-en
Max time kernel
1140s
Max time network
1163s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Disables Task Manager via registry modification
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\xina.exe | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
| File opened for modification | C:\Windows\xina.exe | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JOKE.exe
"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\d3f20c9590484c7ba1111dcd9ddf0c7b.mp4"
C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe
"C:\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
"C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.157.68.73:15217 | 2.tcp.eu.ngrok.io | tcp |
| DE | 18.157.68.73:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.157.68.73:15217 | 2.tcp.eu.ngrok.io | tcp |
| DE | 18.157.68.73:15217 | 2.tcp.eu.ngrok.io | tcp |
Files
memory/2908-0-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2908-1-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2908-2-0x0000000000B50000-0x0000000000B90000-memory.dmp
memory/2908-17-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2908-18-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2908-19-0x0000000000B50000-0x0000000000B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d3f20c9590484c7ba1111dcd9ddf0c7b.mp4
| MD5 | bef81a1f584b54c66eb0c36c0cd5750c |
| SHA1 | 6930ee6b167a43e897a47d55ae10c0ca40574f29 |
| SHA256 | 370c0e0d592f84566438e87b06e6352b380167e44dbd1dbadfa623426f5f4fce |
| SHA512 | c02d583c563c5e746a93a448b99d0df142db0b15b8dc1010d6f5e582daae018067ffe6f95ddd00870c70165ae88a259786aa4c670a04125c8eba52a08a961952 |
memory/2136-27-0x000000013FD70000-0x000000013FE68000-memory.dmp
memory/2136-30-0x000007FEF6CF0000-0x000007FEF6D08000-memory.dmp
memory/2136-31-0x000007FEF61A0000-0x000007FEF61B7000-memory.dmp
memory/2136-33-0x000007FEF6160000-0x000007FEF6177000-memory.dmp
memory/2136-32-0x000007FEF6180000-0x000007FEF6191000-memory.dmp
memory/2136-35-0x000007FEF6120000-0x000007FEF613D000-memory.dmp
memory/2136-36-0x000007FEF6100000-0x000007FEF6111000-memory.dmp
memory/2136-34-0x000007FEF6140000-0x000007FEF6151000-memory.dmp
memory/2136-29-0x000007FEF5880000-0x000007FEF5B34000-memory.dmp
memory/2136-37-0x000007FEF5680000-0x000007FEF5880000-memory.dmp
memory/2136-28-0x000007FEF7B10000-0x000007FEF7B44000-memory.dmp
memory/2136-40-0x000007FEF45A0000-0x000007FEF45C1000-memory.dmp
memory/2136-41-0x000007FEF4580000-0x000007FEF4598000-memory.dmp
memory/2136-44-0x000007FEF4520000-0x000007FEF4531000-memory.dmp
memory/2136-46-0x000007FEF44E0000-0x000007FEF44F1000-memory.dmp
memory/2136-50-0x000007FEF43B0000-0x000007FEF441F000-memory.dmp
memory/2136-52-0x000007FEF4330000-0x000007FEF4386000-memory.dmp
memory/2136-53-0x000007FEF41B0000-0x000007FEF4328000-memory.dmp
memory/2136-54-0x000007FEF4190000-0x000007FEF41A7000-memory.dmp
memory/2136-57-0x000007FEF3FB0000-0x000007FEF3FF2000-memory.dmp
memory/2136-58-0x000007FEF3F60000-0x000007FEF3FAC000-memory.dmp
memory/2136-56-0x000007FEF4000000-0x000007FEF4012000-memory.dmp
memory/2136-59-0x000007FEF3DF0000-0x000007FEF3F5B000-memory.dmp
memory/2136-60-0x000007FEF3D90000-0x000007FEF3DE7000-memory.dmp
memory/2136-61-0x000007FEF3B40000-0x000007FEF3D8B000-memory.dmp
memory/2136-55-0x000007FEF4020000-0x000007FEF4190000-memory.dmp
memory/2136-51-0x000007FEF4390000-0x000007FEF43A1000-memory.dmp
memory/2136-49-0x000007FEF4420000-0x000007FEF4487000-memory.dmp
memory/2136-48-0x000007FEF4490000-0x000007FEF44C0000-memory.dmp
memory/2136-47-0x000007FEF44C0000-0x000007FEF44D8000-memory.dmp
memory/2136-45-0x000007FEF4500000-0x000007FEF451B000-memory.dmp
memory/2136-43-0x000007FEF4540000-0x000007FEF4551000-memory.dmp
memory/2136-42-0x000007FEF4560000-0x000007FEF4571000-memory.dmp
memory/2136-39-0x000007FEF60C0000-0x000007FEF60FF000-memory.dmp
memory/2136-66-0x000007FEF2320000-0x000007FEF2336000-memory.dmp
memory/2136-68-0x000007FEF21D0000-0x000007FEF2245000-memory.dmp
memory/2136-69-0x000007FEF2160000-0x000007FEF21C2000-memory.dmp
memory/2136-71-0x000007FEF20D0000-0x000007FEF20E3000-memory.dmp
memory/2136-72-0x000007FEF20B0000-0x000007FEF20C4000-memory.dmp
memory/2136-70-0x000007FEF20F0000-0x000007FEF215D000-memory.dmp
memory/2136-67-0x000007FEF2250000-0x000007FEF2315000-memory.dmp
memory/2136-74-0x000007FEF2040000-0x000007FEF2055000-memory.dmp
memory/2136-76-0x000007FEF1E00000-0x000007FEF1E15000-memory.dmp
memory/2136-78-0x000007FEF1DB0000-0x000007FEF1DC3000-memory.dmp
memory/2136-82-0x000007FEF1C40000-0x000007FEF1C5B000-memory.dmp
memory/2136-81-0x000007FEF1C60000-0x000007FEF1C73000-memory.dmp
memory/2136-86-0x000007FEF17E0000-0x000007FEF17F4000-memory.dmp
memory/2136-90-0x000007FEF1760000-0x000007FEF1771000-memory.dmp
memory/2136-89-0x000007FEF1780000-0x000007FEF1795000-memory.dmp
memory/2136-88-0x000007FEF17A0000-0x000007FEF17B5000-memory.dmp
memory/2136-87-0x000007FEF17C0000-0x000007FEF17D2000-memory.dmp
memory/2136-85-0x000007FEF1800000-0x000007FEF1813000-memory.dmp
memory/2136-84-0x000007FEF1C00000-0x000007FEF1C15000-memory.dmp
memory/2136-83-0x000007FEF1C20000-0x000007FEF1C32000-memory.dmp
memory/2136-80-0x000007FEF1C80000-0x000007FEF1CAA000-memory.dmp
memory/2136-79-0x000007FEF1CB0000-0x000007FEF1DA4000-memory.dmp
memory/2136-77-0x000007FEF1DD0000-0x000007FEF1DF3000-memory.dmp
memory/2136-75-0x000007FEF1E20000-0x000007FEF203D000-memory.dmp
memory/2136-73-0x000007FEF2060000-0x000007FEF20B0000-memory.dmp
memory/2136-65-0x000007FEF2340000-0x000007FEF2351000-memory.dmp
memory/2136-64-0x000007FEF2360000-0x000007FEF238F000-memory.dmp
memory/2136-63-0x000007FEFA330000-0x000007FEFA340000-memory.dmp
memory/2136-62-0x000007FEF2390000-0x000007FEF3B40000-memory.dmp
memory/2136-38-0x000007FEF45D0000-0x000007FEF567B000-memory.dmp
memory/2908-1764-0x0000000000B50000-0x0000000000B90000-memory.dmp
memory/2908-1765-0x0000000000B50000-0x0000000000B90000-memory.dmp
memory/2908-1766-0x0000000000B50000-0x0000000000B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yudkdggsqo.gif
| MD5 | 830902dd51dad22083b885a7b51ac3cc |
| SHA1 | a5cfc3391721b40f4c6219f7644628116ef0ae71 |
| SHA256 | 94333c1e9a0961648a33db91f9e453e65b25e40106db6b639637fbedcc05e2a6 |
| SHA512 | 9d409da6f1eba7041726df402ae2fb183e320a5bb81fd3837f6f4b67a88b628d4f571f7e1e2df33d0357bea396683036e9af6c2acac1d9e9931f6faf607cdd8b |
\Users\Admin\AppData\Local\Temp\3cfef6f1b37c428bba54270c04432813.exe
| MD5 | a703c3b8a39537ce9be339bbc7339a45 |
| SHA1 | 10354130b42e12c39eb6f3ce95b8368f581ef71b |
| SHA256 | fce41ec4380d80f04eea4f2bb4ed9734c0ed31fb85c8897c0e299fbc0de41f60 |
| SHA512 | f73d2daaf572028655e4168834af7fb5477af4748f99845db314c57ab3a08c16d64bd2c5489f5c84ac3b0dcd16ec414284b5994091c3e44929fc7e923d26cb07 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS
| MD5 | 2b56784f8f16a689b305a1c768f28689 |
| SHA1 | e81ce025337ff3ebfc8bc48d43d360345a18688f |
| SHA256 | dcd7fe09e32ec3a9fd356f12ded8e3f2ae520a99c8dc996b48dc98a39d68a077 |
| SHA512 | d0134e11bea5809b966cae3cc60828e557d6acddab890e56c0e22bed7c4facda582f77dd00a7ccb6da66200cc610ba9bd4423dcf33075f3b2b18434f219bbd68 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13626871_c66985d209c8197ecce4f5ce7899b49d_1656581581.mp3
| MD5 | 4843241a72238329e13f2497733fd70c |
| SHA1 | c6b6fcc361bbcf17e9d05868deec5700b9e1d048 |
| SHA256 | 3c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348 |
| SHA512 | f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20 |
memory/340-1849-0x00000000702C0000-0x00000000705D2000-memory.dmp
memory/340-1852-0x00000000702C0000-0x00000000705D2000-memory.dmp
\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
| MD5 | 0884dfe68c23cb78ec7ad67823271776 |
| SHA1 | c0a7770592c5f14b2eb039d402dd8e08cc6c5468 |
| SHA256 | 5d8ea3a0eae74f62d5dd7b631d665c081056205e33dc32c4659b53d67ba2f1cc |
| SHA512 | f9a1cab1e24c2d55c401c53013158b67ea3d1fc3d1f5ae0d6f848a4e8c76101eadd78f4bdd47fc34e3b12bce00f4a6e57e5225848a1490e2c8757f9b20a978e2 |
C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
| MD5 | 2f8aaa8f2535290b97004341df60f704 |
| SHA1 | 63b1b1fb653f216b7cb522ace58488ce091c01cb |
| SHA256 | 13c554104d6da15fa4c6c9d21d973087cd242d76232c3df6c220497ed82b815f |
| SHA512 | fbc4ab6aa3527530a0139c5bde18a08fdb6f7ff2001740e5f55668376373db56f03e7a2abe65a67cb638721604699eb403cf9c76f5edb6e4bd1d9bfa6afc56bd |
C:\Users\Admin\AppData\Local\Temp\77ba7f12f6bc4cc4ad5a42c777244e5e.exe
| MD5 | c82fca115917a41fa7604eb630e12465 |
| SHA1 | 0ce361a1268d8d4c1c53b5e3ace3a424606afbb4 |
| SHA256 | 32ff719ed698c363bdd299e5c244381b0b8b6ed223d5e67197bbfa848dfcbe6a |
| SHA512 | a3b74a50b0c0a9eebc27196d12360c193dc288bc91c7393fabf3b78597d3803d31a8e77eb076d45a5d22c0a5c7451a5407b4a798f46caa83bf78fba088d3f533 |
memory/540-1859-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp
memory/540-1860-0x00000000012C0000-0x0000000002684000-memory.dmp
memory/540-1861-0x000000001C550000-0x000000001C5D0000-memory.dmp
memory/540-1862-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp
memory/540-1863-0x000000001C550000-0x000000001C5D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe
| MD5 | 12b162b0c010fcc23fa43b03cbb76509 |
| SHA1 | a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00 |
| SHA256 | 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180 |
| SHA512 | f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4 |
C:\backg.jpg
| MD5 | aa8212e3f48d35711f219cd9bf1265ab |
| SHA1 | a3b17cc5311f23cc2db204f5b7081cd7d170094d |
| SHA256 | ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200 |
| SHA512 | 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261 |
memory/1316-2006-0x00000000042D0000-0x00000000042D1000-memory.dmp
memory/1316-2007-0x00000000042D0000-0x00000000042D1000-memory.dmp
C:\ben_icon.ico
| MD5 | 35ed09899d21d2f9806e5c4eb1411324 |
| SHA1 | 5afa7972868a84f4e49d65f149aa09dda07870d2 |
| SHA256 | 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3 |
| SHA512 | 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820 |
C:\guy_icon.ico
| MD5 | caf2b6d49aae9303b222fdd06b91f10a |
| SHA1 | 12b967bd3aafa465c228551a7cb2d70f8b9f972e |
| SHA256 | 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8 |
| SHA512 | 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d |
C:\xina_icon.ico
| MD5 | 0f111a8457f17592240624b2e80a6c61 |
| SHA1 | 23b009e988c3a95d9e8ac97e9baf2979dda3211d |
| SHA256 | 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f |
| SHA512 | 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe |
C:\the_wok_icon.ico
| MD5 | 8e1462f2d993e1bd6fd00268623abece |
| SHA1 | 67367e20f64d32ab8d1840dedd91d686ac989952 |
| SHA256 | ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5 |
| SHA512 | 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace |
C:\amogus_icon.ico
| MD5 | 43042269818924374a29891d79cb676b |
| SHA1 | f34ef8a688e15efa9c0117816a617892a2730bb8 |
| SHA256 | 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187 |
| SHA512 | 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31 |
C:\skream_icon.ico
| MD5 | 21a8888b16b257c094fd38d09612fc48 |
| SHA1 | 9ce7e89da63c663987c9624a845144a4fecc3e72 |
| SHA256 | e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4 |
| SHA512 | cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2 |
C:\theme.wav
| MD5 | e4f642067670a4001d31ffb18f481f96 |
| SHA1 | 538336f1beed8f74a0913454265cbcce4822c4e4 |
| SHA256 | 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960 |
| SHA512 | 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c |
C:\whenimpostaissus_icon.ico
| MD5 | 57a21de76111fd67dd32bbf5b8cbbe8f |
| SHA1 | 127d6c20da0234ac8bc9dd65391fcfd695185274 |
| SHA256 | 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f |
| SHA512 | 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629 |
C:\ustupid_icon.ico
| MD5 | 6e3e6e1a0f01c0168c7b1fcb4e63a89d |
| SHA1 | 785688b7caa8f28583e417a651517b721405d835 |
| SHA256 | b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634 |
| SHA512 | d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99 |
C:\speedrunner_icon.ico
| MD5 | a0bd05bdf6641d55fff217fc45b6e7a4 |
| SHA1 | 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3 |
| SHA256 | c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2 |
| SHA512 | bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3 |
C:\avocado_icon.ico
| MD5 | 6d362a3e515cc18d537f74fca1f75293 |
| SHA1 | 99a5b363ac274e027530fa7a532a007b0e6c56f3 |
| SHA256 | c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42 |
| SHA512 | 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821 |
memory/540-2080-0x000000001C550000-0x000000001C5D0000-memory.dmp
memory/540-2116-0x000000001C550000-0x000000001C5D0000-memory.dmp
C:\xina1_icon.ico
| MD5 | ea930fd90cdcf6d31a2ec4c1559b41f9 |
| SHA1 | 498db95c46ed784d6c6b83b6ad30184ceb7f80f0 |
| SHA256 | aba2367393eab39caa359b90c62ac0231e7af228070c50496a984be89bba4f3e |
| SHA512 | 726bf8c578a9019ac025c2fc021cdf7c111597d182720d62c48be9ea4fb3c8f4da777ff2305695a27d0db61c3af9da48e99ada694eab71df9fec459c50a00656 |
C:\xina2_icon.ico
| MD5 | d129b378192f4f70d831fb7034d7992f |
| SHA1 | c782ed401d9a33644568dd3d4c78b49ec3d9a4a0 |
| SHA256 | 3d41e7d8040bc0c91f371f88dbbd7eee29e7c8408d2de331636096f81cc57b4d |
| SHA512 | b31d3191ad62011d53f77e789333f3669b515172aa30f914ca116af0b8b6949a031b002aa391637fdd7ab9a63a5b0dd5ce37dd691766f3d896ff570dcf23b2a7 |
C:\xina3_icon.ico
| MD5 | 37cf805ea6e33432e8bcd4e028938faf |
| SHA1 | c0ea05823441d9115a2f079346efff5ad2967930 |
| SHA256 | c638d0fedabee0972e593ef24aacb2bc86ddcb6a3357d0ddc2228e76d73051bf |
| SHA512 | 091bd6d4e0f5707df74a461657b513cf7c61b94e780b80f8f93fb000b0e29b7f59c08a35964d4dbee005e7bd9d3c9be5a69a2486996e3a9f09a3d3784d424a4f |
C:\xina4_icon.ico
| MD5 | 5e3393e772f5aad126c10b86b8b59c62 |
| SHA1 | ac70b3a5ce29c2d432263a11a4f157fa53222c23 |
| SHA256 | 049e8a377ff04c64b0e804d14a96f1469bfdf60c6b38d807d8b1af5b293221ef |
| SHA512 | 3903acb567fdfd0abff26dcbd4c7c9ebfe569569b1af78283beedd7c2343baa3e3fe19a2e851e43b7313017624435ce814dc839f79c67d3c7ee528b3c71666a7 |
C:\xina5_icon.ico
| MD5 | ef185b61dfa8298a39bd12bc5b5ad56e |
| SHA1 | 3401678e4ebf8a78c664994e864a18cde058c20f |
| SHA256 | ff3838388c2ed572a4d2ce6b8b6d77490bc56bab33ccf8c586bac27d2df83b68 |
| SHA512 | e7fa3e4f302801e617442764a28b7f7a24a394319903a411f40d6da31d03b7530a8160193010ef868c90f9259d44085d113b73fc09a0e72c5a1f9f990d87e7bf |
C:\xina6_icon.ico
| MD5 | fc5f065a5e8ede646d1595c50f9253f8 |
| SHA1 | 5c9a10baa223eca0ca3005b760b21f9dfe656e94 |
| SHA256 | 90a1510f938da7440b9b0d2f82428885684761898d4f76575b1c2fbdfc245d92 |
| SHA512 | 49a96c244bacdf8b5dde05f3b57c18d2f83a53f3f82bf32f6c8026d890e047f6b11d0d7d9357e8d6f509acbaa5fa37d5aab72c26e58f46c99885f272a747f544 |
C:\xina7_icon.ico
| MD5 | cb099d15874bc078218294749eb7b6bd |
| SHA1 | 27647365028ef3fe8df37d9341595501c5748b9b |
| SHA256 | 2efb6ed0f26f8a561014536a1eb846cd4467d830998f6bf2c89f5dbd4a87f1f3 |
| SHA512 | c350bd8959004da8cf76a4d79a25629c4e38ad57e22230a29c339685c076cfc0044cc241dc206016183549ac66da685a3d673938f0af6c69f40c0bb6ee5fbc2e |
C:\xina8_icon.ico
| MD5 | 337dc66064bf405d08a2c9c2f8b80ee1 |
| SHA1 | 34e79eaf97bc9274222df62331ed464b06c26deb |
| SHA256 | 0bcb24229a3ca5ab524b3241e79d71d0b190994b77d4c420985e8f89b9557774 |
| SHA512 | 61616a7d4e29c9a47b8f0f6c3a21e68b51ee2a185a2e0e6d3f7933a932305a246091c9ae757aa4d49601f2631e3cb5c62618a1e2a2932b957b9b279d019db337 |
C:\xina9_icon.ico
| MD5 | c7e83c267bc0e3238163b11a968d59d0 |
| SHA1 | 180d269f95d88ab98c4abfaf5024119ab22f5424 |
| SHA256 | 939f8ad378a8372438fdea72adb3f56cf4ecf3ab3d517efdbf5588c3a34be3dd |
| SHA512 | 054593312a083ae7f86b6aaa18ec206193b08368a8166f09815056ed339d1370ed0f03500fd39ad45bcba7a4a450b819415e695ff0a8cbca6db2a5999f9bb741 |
C:\xina10_icon.ico
| MD5 | 312462041a762b3ca42e106dd23c77ef |
| SHA1 | 199e0d9650f70bc9d4aceb95da7d7200668dddde |
| SHA256 | df0e53d5be9ecf641313960c107ab41bce93c8cf4849d006077e33a424cb15c5 |
| SHA512 | 4d57c6b4659ededbecb127a9676f6cc64644cc270e33ceabe469e84c2a1b38981134aafb8f1d1e53cd0d6cc1f22f08fa3bd7e8568e8f1d907efd4bd07b51f790 |
C:\xina11_icon.ico
| MD5 | a6a4e4e3398f437cd4d431d85e9d54a8 |
| SHA1 | 4afca6d917412205203b9498fd1fde26a926b7af |
| SHA256 | 03f9584495fef61a2f54a0f0cc469f26f25f35394be48b5d954d449ca37bc784 |
| SHA512 | 2ef129c544c12373b8eb06160450ec4c925d2b3075d1f7925859c4a0f184911dda59b6687944b7fc086276b3966e1111535e4e859b3f3715078e1e68dfe6ac2b |
C:\xina12_icon.ico
| MD5 | 813e47eaed5990689d0d53815c68d29f |
| SHA1 | a20cf1de1b653e7267c5dd134db2207fb1150e3d |
| SHA256 | 710b492db43e192fdf281d9d5ae58a06500b506694ce4685c64d413188c4b245 |
| SHA512 | 9aa5898a1e6942e41d7cf2ccb9dfb96a0b12c4d148d24a9ec8b9f5bf608bdc0312fdfd97c779a73ea81dcb9ce7df06941efd2a0841b2afc6b439528ec0f84fa5 |
C:\xina13_icon.ico
| MD5 | fafd6d2d4a64f53220994bd4bbb9de94 |
| SHA1 | 05d90ef5327c3ec114d0a36cb29927ca4796e5b7 |
| SHA256 | a8cac8b5521a9ff85faa0999ed21af3669c57a9cf51eb14760c001305c44c195 |
| SHA512 | 64cc77861e5a3679cf2f323ecd673805aa6df266e720d4e889ca283017201d25f194767b7c36aaeeb4a4eebe062d2597fc3e13f1b7e6054b4707ee74178df232 |
C:\xina14_icon.ico
| MD5 | 398df692cd2ec1bb7920ea5449d965a1 |
| SHA1 | d4fb9dc4e31cb5ec3ca4e2dd2223a0d4bc4256ec |
| SHA256 | 76fe950ef1408b93f1a13a7197cd3221d8eb6f6660ccf9aaec3bf94f8b9ef703 |
| SHA512 | 2156c194183d961a06daeca442fe8da4808f2065e8936f4fee10f487784721c0976a69e39a466f1bc1a0c31e082025774a391bbad2138cab638bce4153ca7201 |
C:\xina15_icon.ico
| MD5 | b28cdde3e6551f820fbf4d1ae4da6677 |
| SHA1 | 8e1fbc56e308b24dca374eb5debc9e9bdd5f6135 |
| SHA256 | dc1a15e29698e60ac326185e619eb875e869ea3d01746ac0701d11a2716f6b85 |
| SHA512 | 21bab2e588190151a380d0663f0d8f307c95805af7197bb2adf6019bf28eb3cf57d9e7f621395a7f23ca847811e5a9fd316bc45fa3208c71832966c4127b8cc6 |
C:\xina16_icon.ico
| MD5 | 66bd198bf0cfca918c45067bdbc354ea |
| SHA1 | 04d7bda4cd83a7d1e950a8da7f409eea72033578 |
| SHA256 | 06f24e06f12ce66cb87a29d7eac67befb737ee1400f11071d4ca83ecb5c78dfc |
| SHA512 | d2d775f19e5cd72671c739d03b6bed554dcc517f93bb83cba7bbe54fc3408cb8d177bb237620894f0cb45117bd902b6e39a7ce3f630f21c8c45b08d2280306c7 |
C:\xina17_icon.ico
| MD5 | 9225599ab65c613124185b2529989cd5 |
| SHA1 | 94cf9fdd8808ddc34d8c552a5fd52dd3bd6b4043 |
| SHA256 | e64658b6ee5ee61b29cbf79812b1f6cc45367eeb2cbe9da9fa5f1e63979644e8 |
| SHA512 | b535e4bf42d1bfe8d0280a694e8663fdfda224b030a80f0ccf0568009e1476cc062c3e88f9e3a3c31b62e5156504570fc17f1466acc234e83cf1f3628ac999b1 |
C:\xina18_icon.ico
| MD5 | 3807d3a5a2f9fb626c97e048e3b64b1e |
| SHA1 | 1b14e6ef507551e72370b03a876e9534b0da3883 |
| SHA256 | 5d99c8bc9f302d87e86addeebe013c34ca4305f3c9752fd92e979ac6d97aca34 |
| SHA512 | fd5ee94044f25dd20495dc3bae17ba89257211be6ca36df224813d7a71afe8270df7e8a74d11655dc6ab1397b5ceab3e56bfeac149a09d3015f10d4b50755164 |
C:\xina19_icon.ico
| MD5 | f6ecf41acb43f283021fa952e762b9e4 |
| SHA1 | cdd89bee571630d93ceb186ec5dbef3fc28d0019 |
| SHA256 | 9962141bc3e2a1936bffa25de1e8ad85aa630d4a9770f90e9900534784683be2 |
| SHA512 | af637de1c505023a03e2fce65847fbb596a3c7dc6789f636dfc78b185b583e801274fc00f63c12e531a6eefb505a0c2bb29222a133a4f0d08a1eafa3be17acde |
C:\xina20_icon.ico
| MD5 | 0e027d0c11f6adfa7aaf640ef5cbb83c |
| SHA1 | b9d69ff6f1ea832de0c713fd2011a1d588cc1d6f |
| SHA256 | 93bd144b21f021708564d17a127b241b6236ec7922cc772a78bbdfa9b0fd8ee4 |
| SHA512 | 77c242c76e6f3aaea9df664ccfa280af6c4931adad908a069073d35cbbf521f5650a0135239f6f831049a5d13ebab595169f27eb9f847a952f8a47a18e092d7c |
C:\xina21_icon.ico
| MD5 | 0c12f084e52be0801c90d48ebaaa9c4b |
| SHA1 | 8954a0a34e1344e0ef0a8920c9935dedd1eb4dec |
| SHA256 | b1b86e511ff375352a46b9b6fc8f3a7a20c55b7516dd1dd9d5af38adb7f527e9 |
| SHA512 | 01b8f27eb18a77a7be9a1b910b93c16afcfda1e0c371463619dc6562bfc469af34d152282bde6fd4c14fc191c6b7cf1877d8607e257489498ba1c96f68c52e2c |
C:\xina22_icon.ico
| MD5 | adb1b10c27228fd7a59a50a5839ee6bb |
| SHA1 | 579e67dca36773986fcebdd955f86cb6d47a7164 |
| SHA256 | 4e876b157be27295d52d754db4367a05e2bd10550006355fef27542de0603c1d |
| SHA512 | a2efeda33021d205b11cfce73b9897e82571f42596438020786dc58abcb0e42287ac3730f5f57fe92249f5b8fc8cf74f391fab5ba25004ee84b3741be4849499 |
C:\xina23_icon.ico
| MD5 | cf293a4f73d67d90b43d6fe2fc707e0d |
| SHA1 | c779c8794392ac1d907170999a15d8a7440e85c0 |
| SHA256 | d2767668d76008045bb9ac633f6ae30daba499cdd4c803030b3f4119169220f6 |
| SHA512 | cd2dbe59f40101d36bcf9b2da70ed8f03e66e5c57386be68bc929e1fd05ef2b806afae135ec703e960bc159400cb402d409e7745f7b348ff47fb24861267dea2 |
C:\dad_icon.ico
| MD5 | 8883262af502c220932bbc50979391ca |
| SHA1 | 0be9ff95e86e798493f5f067a6dd3ddec9ed6832 |
| SHA256 | f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6 |
| SHA512 | ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076 |
C:\walt_icon.ico
| MD5 | fa516d1d0fce7db4dfa81e73cf74e917 |
| SHA1 | ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0 |
| SHA256 | 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af |
| SHA512 | f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f |
C:\bass_imposta_sound.wav
| MD5 | f6d67bd69fe398b2c5238fa4c9d6455a |
| SHA1 | a8c7dfb2cd54dd46f2eb1e2fe6a19bdf40c47e44 |
| SHA256 | 3ad823c535650fcba2de953fb2ce6fc46afeb04e529494e6b60b788cb28ddc32 |
| SHA512 | 63e0e262338850ffe35929af320d17eb850efa046f860ca4fdb93518dbeeb2fe9ab3d4d13305c6d1f5c9fe78b42615ac0794d160b66fad5e3a30309dfed117e8 |
C:\omg.wav
| MD5 | 4f0ad7516cd72bc8e78452edbfb7675b |
| SHA1 | fdaf974becd0d3d66eb580df0e4beaf048ef22b4 |
| SHA256 | 654700adddf4f3b7f18f08d3d7ba2df035a026fd38b86f700b950d4ce4cc0cfe |
| SHA512 | d973a212cb46199bfbb938edd724e187f52d273eb92f0f32390f6b8c269886d55a2009545a3b46d456eb8a42f1c76e4956bfde803898d053e2164aa58a92f584 |
C:\rock_eyebrow_icon.ico
| MD5 | 56afb11ebd7367af4c03b065ef3580f3 |
| SHA1 | 4f30fbf3d5c0469533c1b33b98aa612e6704c14b |
| SHA256 | da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7 |
| SHA512 | eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4 |
C:\fnaf.wav
| MD5 | a91d1592b7e50f377e7d173951c58178 |
| SHA1 | ba8c41495c9209b17b2538bc991a537f3493ebb1 |
| SHA256 | 65c3102f1a750db1921c3c28064f94f1b53aec88852b874810cefc6a74f402c4 |
| SHA512 | 8cac33c4b2964fd87ce396e519a894c6674f123e4c2f3642e358dba59ab64a17c110aa74363fca1436fc325f0a986ffdfe94c161fdeae30e425648576a8be1db |
C:\bom.wav
| MD5 | 1c782f17124b6eea9619acc46fc165a4 |
| SHA1 | aa22fe4a52723cf2ec83af3b478531c83ac1c589 |
| SHA256 | 9f1c04f4d37d995f9f6cdb7751be399468c275f91c35f30bdb45ff9ff31190eb |
| SHA512 | 2b63129054cffd9037963f9e42c46c489e697f81109f8465c9cf3915894f143ffa444e9fb1bef195111ea915f36b51f08246b5ddc7ae5763d056bd0c8b0a7921 |
C:\amogus.wav
| MD5 | c30df0f1ba8d92eccb020946a107c7fe |
| SHA1 | fe95d0b0246a4ecc25fc89ee7102647e12c1dcb5 |
| SHA256 | 3d6d12cadb2ef6fe5b2a03d15964512bc32895e338c2da25ae2cb07bcb31deae |
| SHA512 | 624aebee4d918c8eed1716d17829a36104eb5aeb2d23be021e61f9d8e59a6aeb7215c14365ac081fa2f820e561aa108be25640d1634983dff7ca8ebd4dbd6a45 |
C:\obama_icon.ico
| MD5 | f89f675153effeea979e32716d1dcac8 |
| SHA1 | 84780277f79505ccf920d13391726741e127a79d |
| SHA256 | 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7 |
| SHA512 | 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff |
C:\scream.wav
| MD5 | 2d714bed0f2a11e2daba10305c667e93 |
| SHA1 | 20af1afd4f3283cd142904a285b6471b119f8079 |
| SHA256 | a65f7847e0c4ec164b204cb5abb90a4b58cacc4c957f0749b52c7130094b860d |
| SHA512 | da26fb5aba9377c746993daf6ffbe3df60db4ce0992058b7d70a1a26398f9014a7c111775e1acfe26526500a90daaacf805dda3b8a7cce87c36b60f641fd0119 |
C:\alarm.wav
| MD5 | 84b81f71beda7afeded4085a84808465 |
| SHA1 | 7199bd12cc0ef1f77fcaaba8b3ea5645ab388dce |
| SHA256 | 0884ecdc6f9a9ce52f67f6fdeaf02d579b2d7a1c7cf14d20d77c2906e41196a9 |
| SHA512 | 698bdbc47b061ad37982195a16930caeaccda52f95f9c0d4ed33653590023eda6a2c3f110ea2112aaa67c99ed588d9117797aedd9298b36b37e78dcc5c74a5ae |
C:\ustupid.wav
| MD5 | afc635b14cc1d36ce347aa3ad423bcde |
| SHA1 | 306b78de47455914a0550229035516b951e638c5 |
| SHA256 | 80d9439a20f9f0b09bfb6b7b71a84bd9875c2363141b323522ab0473df90c0b5 |
| SHA512 | ce4b43b1b876b741d312a045fede59c4b1287f084a4fd0a1929aa8e6da3820450f25ae9436d48885e30908201e6a82cd3ad7e8e9d92b16aa68aa1e0b37366d40 |
C:\sussybaka.wav
| MD5 | 8853da13437c21bd8c8b131dacd73d4f |
| SHA1 | 844f143af3aab36ce1cee355eb7e7c5a4ba67f4a |
| SHA256 | 7616c3dc3ef9a7a6d08a54a5e955b33f001647f0821c29b92b022c044226e480 |
| SHA512 | 31a3989fddbffbb8e6979bf3e855eb13ba97146cc1cee4ab6f939cf002e0a2e698a12383f0f2a8d3d6aab437da9bac7e641189565a7ced1d2c5ae1a8f149cf30 |
C:\amogas.wav
| MD5 | 7c96d6b14ab956a856d47e87c4be4553 |
| SHA1 | a4626ab555204ae9221547b539fe9fe8b21cf500 |
| SHA256 | 3e6482553b51c3bf6d419f8333647f59762240861c79f166d1995fc59eb189b4 |
| SHA512 | aef86dfb77cce4064a634f3b1accdebb3c066e6d9fc966538df80b2c0d948a017b1af1bd34d93d525f907bb983504544d541ae1a1f074caabaea55d71b4f3f3c |
C:\hell_no.wav
| MD5 | 22aa4efefa11404c5656516f4f257a59 |
| SHA1 | 2b7476f4fc38d51303dc78dcdef4577ea59efa09 |
| SHA256 | 88f4e80980753871fe322f8dda83e72900cca29961efdf25bd119b259a57d05e |
| SHA512 | 167d77f6f5aeb19fc98b6dc969f8ea91906aa23f5771b3f764884a685acbea5fa545486e72daf79decfa86265e6718a0d5e95c6f9c01bbc14a5c6b7c0ad2380f |
C:\fart.wav
| MD5 | e87a6a5fe2591cb8c7a88c0bd4cc8d3c |
| SHA1 | 75c4ca221b2f4782709f16230059bf8413de13b9 |
| SHA256 | 840bbecc0e95ca503740df9ac0ac944303c4a4c5f163a3eb4d4aea329629371c |
| SHA512 | 2fce9c3827b0d16828175f8ac86029f615614ad0f147c95842113824d8177e2919cd0e09d67b9723396d259dea99e3b465b7a83972a8f1d344925cd8c14f0605 |
C:\whatdadogdoing.wav
| MD5 | a55dee0b6901e6cc5dee3ee6db227b41 |
| SHA1 | 914b3ff1faa2a3009b13044ba08f08a71f2f3f20 |
| SHA256 | 6fd47a0e90adba6e9560ba5fbbc162b346b528aba268300f560d5a144924bd9f |
| SHA512 | ecbd6e493df019e3045a420e0aa6235fdee1d1e97e455370e29ee7563e7c25f9d75afa9b7c1c9d8e2693e90e1271811dbe88072ba8ec4e93cf23d08cdba0f4b5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-24 04:26
Reported
2024-02-24 04:56
Platform
win10-20240221-en
Max time kernel
575s
Max time network
594s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
njRAT/Bladabindi
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
Disables Task Manager via registry modification
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ention.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\b: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\x: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\l: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\z: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\o: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\u: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\a: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\p: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\r: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\g: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\q: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\v: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\w: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\j: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\s: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\t: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\k: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\m: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\h: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\i: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
| File opened (read-only) | \??\y: | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\xina.exe | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| File created | C:\Windows\rescache\_merged\4032412167\2900507189.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\xina.exe | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
| File created | C:\Windows\rescache\_merged\2717123927\3950266016.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\Locker.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\MrtCache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 02e8a374da66da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80702004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000a64c3d3fdb66da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000024c6e73edb66da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000000308662a164da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "415516152" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 00e3786dda66da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JOKE.exe
"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe
"C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D0.tmp\8D1.tmp\8D2.bat C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe
"C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe"
C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe
"C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe"
C:\Users\Admin\AppData\Local\Temp\Ention.exe
"C:\Users\Admin\AppData\Local\Temp\Ention.exe"
C:\Users\Admin\AppData\Local\Temp\Locker.exe
"C:\Users\Admin\AppData\Local\Temp\Locker.exe"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe
"C:\Users\Admin\AppData\Local\Temp\0abc48bc70dc4b02be542a29d5a4e04d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe
"C:\Users\Admin\AppData\Local\Temp\1f4f58aef0cd43998661e843de3067ea.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.127.138.57:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 57.138.127.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.127.138.57:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr4---sn-1gi7znek.googlevideo.com | udp |
| CH | 74.125.108.201:443 | rr4---sn-1gi7znek.googlevideo.com | tcp |
| CH | 74.125.108.201:443 | rr4---sn-1gi7znek.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.108.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watson.telemetry.microsoft.com | udp |
| US | 20.189.173.21:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| CH | 74.125.108.201:443 | rr4---sn-1gi7znek.googlevideo.com | tcp |
| CH | 74.125.108.201:443 | rr4---sn-1gi7znek.googlevideo.com | tcp |
| US | 20.189.173.21:443 | watson.telemetry.microsoft.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| GB | 92.123.128.167:443 | www.bing.com | tcp |
| GB | 92.123.128.167:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.126.37.18:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 18.37.126.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
Files
memory/1168-0-0x0000000074180000-0x0000000074730000-memory.dmp
memory/1168-1-0x0000000074180000-0x0000000074730000-memory.dmp
memory/1168-2-0x0000000002EA0000-0x0000000002EB0000-memory.dmp
memory/1168-8-0x0000000074180000-0x0000000074730000-memory.dmp
memory/1168-9-0x0000000074180000-0x0000000074730000-memory.dmp
memory/1168-10-0x0000000002EA0000-0x0000000002EB0000-memory.dmp
memory/1168-11-0x0000000002EA0000-0x0000000002EB0000-memory.dmp
memory/1168-12-0x0000000002EA0000-0x0000000002EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\70b6265c39b142559a655f40f3d16ae8.exe
| MD5 | c4eb157cac8ac23675482e9db405af99 |
| SHA1 | ff3e7e1464ca8859a480dcdddddf6de6480cb75c |
| SHA256 | 55eb5e8387b9b1e9982287ea45bc20a86d6f5b0fe02f92f5ac2f569df1355d68 |
| SHA512 | e82469a7d35d6c4671f7789844ae6cfac2f9e7ef464f1b3f865df78d532fed00cf8f9f707f87d107943384f73cab98d687e9e4382c676b635cd1f8def0ec70f2 |
C:\Users\Admin\AppData\Local\Temp\8D0.tmp\8D1.tmp\8D2.bat
| MD5 | d6722be451c37f29ea52c36108089437 |
| SHA1 | ec0828abb19128ea6edec152ccad500f5161291c |
| SHA256 | 152053eb315110ca3a65f3393004e9b33f5eeccd953f5ca1e1734e659544728b |
| SHA512 | ffff083ea8f17da8465904ebd0fa7331dc086e29bb684fcf7b19d545c09bf03cf6ce08f3dec21bb4134f131055c6df7ef1cdf31ee133aaa35b5314b3097e9716 |
memory/2736-36-0x000002014FA00000-0x000002014FA10000-memory.dmp
memory/2736-55-0x000002014FCC0000-0x000002014FCC2000-memory.dmp
memory/4160-102-0x000001A3F7370000-0x000001A3F7372000-memory.dmp
memory/4160-111-0x000001A3F7390000-0x000001A3F7392000-memory.dmp
memory/4160-115-0x000001A3F73C0000-0x000001A3F73C2000-memory.dmp
memory/4160-126-0x000001A3F72E0000-0x000001A3F7300000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 730fcccc4fa580117510be4499e43fd5 |
| SHA1 | 245aebea52af630789dea0862c099891180aa1f7 |
| SHA256 | 482537b14f03f06c5f7910d089094612fa9940813eb0f1a63330f18d2b632f96 |
| SHA512 | 2cd70c9a8fb93300c3efbaa2e111f3c1e562b06f0501546446bde1b46ab1cfd7e800bb04f2e53fd194bf64b4498cc6189490680a24823daebb15747ee29af6ae |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B744ED683086DD422B6453395135F670
| MD5 | d161ae1cd954e11e5d7e94ae2d43fb8c |
| SHA1 | f081a02d740bc5ca89f23e2affe262707b6e0c6a |
| SHA256 | bdf4ccfcdc71b2f78afe4fd7beb11e0b3ac8b87fd26393623bf25c78a4995672 |
| SHA512 | 83a03b9f5f5582ce32ceb3a7de2d1218fb50900677e8dce0c7cc895b905f0d46f2557c12dcefd12a76daf9842b8661d4f28c134a24aa6ca6e2d5cbaad8a1d077 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B744ED683086DD422B6453395135F670
| MD5 | c36304d217d71dd9d3478555ec792b53 |
| SHA1 | 3bc6700bfd7305d89eac48fa04ec9a0a0fceafe1 |
| SHA256 | fc35fab32aa4d7e870515483a474eacbbf7d5fbd4bcb017ad417963be0bbfb7e |
| SHA512 | b9f92eb5383e46f3f593f6a3bbdd1501e0c2dace30080988a05d54cebe48355172510f680b06a7e26467e56183ccaf13bfddfd587351da6b56f357260cfedac1 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | d2aa3b31a8eb837a025650a56428892c |
| SHA1 | c2218af4c5fdd0b8f7478a27e07f5afec32bbecc |
| SHA256 | 208101d43d87f2ebef1ab89c81843b24453643e2eae75d6f7217102de2b5fe29 |
| SHA512 | 21e1d30789651316adf0eb880aac48c7211996e0e8b458df26a414b3d03ca99d1988fe7be77dbef4c6db1582d496e3c2df62ec9c1ce5a48ba2bfe0a68b327a47 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d0da769192d32443ab3697052e75e6e0 |
| SHA1 | 7e69f58fee2c525ad157eabe3d56aa8897019593 |
| SHA256 | ba8144b9c78147903b87eb08e3f2bed062fa7a1c1c8a35bea76ae24b87f0bef0 |
| SHA512 | d6d1a89cce75f2be3668dac3af1982744a81e4f5309e0adbb6e54c50d7a7042ff4365913af640a34921a51c716de838a43750f2110e92111fad3b9edf72debf3 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\web-animations-next-lite.min[1].js
| MD5 | 44ca3d8fd5ff91ed90d1a2ab099ef91e |
| SHA1 | 79b76340ca0781fd98aa5b8fdca9496665810195 |
| SHA256 | c12e3ac9660ae5de2d775a8c52e22610fff7a651fa069cfa8f64675a7b0a6415 |
| SHA512 | a5ce9d846fb4c43a078d364974b22c18a504cdbf2da3d36c689d450a5dc7d0be156a29e11df301ff7e187b831e14a6e5b037aad22f00c03280ee1ad1e829dac8 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\webcomponents-ce-sd[1].js
| MD5 | c1d7b8b36bf9bd97dcb514a4212c8ea5 |
| SHA1 | e3957af856710e15404788a87c98fdbb85d3e52e |
| SHA256 | 2fed236a295c611b4be5b9bc8608978e148c893e0c51944486982583b210668a |
| SHA512 | 0d44065c534313572d90232eb3f88eb308590304c879e38a09d6f2891f92385dc7495aabd776433f7d493d004001b714c7f89855aa6f6bec61c77d50e3a4b8e6 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\intersection-observer.min[1].js
| MD5 | 936a7c8159737df8dce532f9ea4d38b4 |
| SHA1 | 8834ea22eff1bdfd35d2ef3f76d0e552e75e83c5 |
| SHA256 | 3ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9 |
| SHA512 | 54471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCALUWRY\scheduler[1].js
| MD5 | dac3d45d4ce59d457459a8dbfcd30232 |
| SHA1 | 946dd6b08eb3cf2d063410f9ef2636d648ddb747 |
| SHA256 | 58ae013b8e95b7667124263f632b49a10acf7da2889547f2d9e4b279708a29f0 |
| SHA512 | 4f190ce27669725dac9cf944eafed150e16b5f9c1e16a0bbf715de67b9b5a44369c4835da36e37b2786aaf38103fdc1f7de3f60d0dc50163f2528d514ebe2243 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\www-i18n-constants[1].js
| MD5 | f3356b556175318cf67ab48f11f2421b |
| SHA1 | ace644324f1ce43e3968401ecf7f6c02ce78f8b7 |
| SHA256 | 263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd |
| SHA512 | a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G6IH1XRY\css2[1].css
| MD5 | 31aac18e149a751facc1eab7954dfb7b |
| SHA1 | 36d367dcc77416a166aecabb5f6fb5c6c29f3632 |
| SHA256 | 42706c41583de3f0028f16bad17197dde81807d148ba848ea3924aff4bb8b532 |
| SHA512 | df83002d751e6e73377b15966fa5ffacc7f6e2318821c691209fac9b6991d1113b385ca1fbf21e02455a5e5702d4247716c6d03d1938506e6ca740cdeffce351 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-player[1].css
| MD5 | 8f60c13acb044236ec0ee3bfa7c5374d |
| SHA1 | 337a4a5622c4fa7e763aa4f22ae0bb8d7fbcaff8 |
| SHA256 | 5c6664535088c169d1900c7b4f749d59530506ba2f16bc07c131027a30662897 |
| SHA512 | 34c8ad38252709922410701b641f5f745ccfb7ca42010f5f26d4686a879e61e1f8e2057a6e1cee6cffec95ad861629fe6e9e8908bbc3003c8ad93fe3e964d9eb |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9F04E35CA28A5C68B5490FBED6478178
| MD5 | 5470a88b926d8afed075056e26072e9a |
| SHA1 | c9f4223210fe0b2b96e816bf73501fa7fae2171c |
| SHA256 | 0b4176a4107aa865df5d96114692076511aafbfd7f5a38d70eeb36076fd25606 |
| SHA512 | 5cc771e72f84a7caa6d3662c0161bd7c7e212dbab0e3e9947c3b81a13440d2ace3eef117eb36fc6aac00f5963a9a4a6eea01870f41d39d9fe8aa54558802e515 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9F04E35CA28A5C68B5490FBED6478178
| MD5 | 226ba29088bdde0e850643d755578514 |
| SHA1 | 5beeb8651d1da05a58d1117ae4ec3a28ba6934b2 |
| SHA256 | 5ee6bd6e5801c6fdd6ec82df943562e9ff7216047ceffe10fdb7c567a3de629d |
| SHA512 | 739524c45640dff914150ff4226ee6871204a0dabe1135c2d780253c725eb482a469ceb6b1cb9977a578ee4bdbf483d5e45231be53f27903eaa3e35126b82284 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-main-desktop-watch-page-skeleton[1].css
| MD5 | 81b422570a4d648c0517811dfeb3273d |
| SHA1 | c150029bf8cebfc30e3698ae2631a6796a77ecf1 |
| SHA256 | 3c8b38d9b8a3301c106230e05beeedbcd28b12681f22fd9b09af9e52dc08635d |
| SHA512 | 1d4966a88d7cf6be31b8f53547a12db92cabb4c05176abe995c75c8889765ec68b7210c3be75f60954ceb2938412fbdeb94d4d25ddc927f3a89eca76a84a9ebc |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-main-desktop-player-skeleton[1].css
| MD5 | 2a5f27d8d291d864d13eaa1f5cd9cd51 |
| SHA1 | b39f9b99b924e5251ac48fad818d78999cfd78d4 |
| SHA256 | 056232b6127143e2f8bf4218db355d978e1e96f5dedcce59a9f5d6ab92b437f1 |
| SHA512 | 1b54f1e13cb38e41f2a65db3cdc2bc702a9e963751b1ef0338d67b95816441b0143e1d4dabc99f276a04f9c00570bb8933f1bd87394998b3878c268b08ecf24a |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LFEYDNZV\www-onepick[1].css
| MD5 | 5306f13dfcf04955ed3e79ff5a92581e |
| SHA1 | 4a8927d91617923f9c9f6bcc1976bf43665cb553 |
| SHA256 | 6305c2a6825af37f17057fd4dcb3a70790cc90d0d8f51128430883829385f7cc |
| SHA512 | e91ecd1f7e14ff13035dd6e76dfa4fa58af69d98e007e2a0d52bff80d669d33beb5fafefe06254cbc6dd6713b4c7f79c824f641cb704142e031c68eccb3efed3 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCALUWRY\rs=AGKMywFRe-uXq3Zl7DKngxjSYzI0kR4DvQ[1].css
| MD5 | bf2b05164e4fff1bbc7a59024d2ebb1c |
| SHA1 | 9c91e21aca4f3baff2bd30e0da7b7430a810358a |
| SHA256 | 72d2f9ef26363b27fe8bf6e491da6c6cc975707829fde01787830d1baea32242 |
| SHA512 | 27e3cdbdaf8318f99cb0e3020a1cecbdbefb6e47c8d0dcf9c9abd71613e252e7fa99258b1a6641eb6e889c296b5f0fc6e5b342d415ed6c20503d3e96a032c6ac |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCALUWRY\base[1].js
| MD5 | 05068401e84164a0ed0446c186a08140 |
| SHA1 | 7db58d26661fc99f0abfe4666a535e1fd74e9f22 |
| SHA256 | 8118050a27f735b626239738ae0e5ef7d7b79eb0fb27760dc1214c1f1ac00275 |
| SHA512 | 1d1755de710c4235efe6ee688d7d7c00734a14fc614db81667f8e10d51a05c74863e8ea7fdf1dac3656995d6e1756c7b0689f565ccc840ad0ca014cf83603d8f |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\spf[1].js
| MD5 | 09724500269dc3256e3517a3b3526306 |
| SHA1 | cb72e3f6e5d0c8cad37bce37a5d81fa768d33037 |
| SHA256 | f333d8729a3c54012666dff2de67a567e3ade40c708cac4a1b6f7083cb1c5c63 |
| SHA512 | 0fbba72fce072bacf3fc9ebaa4778272c15ac650e0978ec71e0423433b2c91884f4baf01f275aacebe693b57640d2f577d6b35ed77ec1c5505151561edcebadd |
memory/2652-202-0x000002285D020000-0x000002285D040000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\network[1].js
| MD5 | 71464b30ee74399d9bcb61eb2506c9a7 |
| SHA1 | 04ba39b53cce7deb7c316d0d70ac710128a47325 |
| SHA256 | 99599ec6f3fb4d9ae90a3ac4fa8e73448cd94e47a0662c7b80bc1427004f4e67 |
| SHA512 | 5ace36f2d24351e2af12d0aae0fdf6e1b287e0ae8bb75d9fda1204ab8d475ffbcdd97daccd7b057878b05e427212704218b14dc842e01ccddbb122f48d709a5b |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQ71I6HC\desktop_polymer[1].js
| MD5 | 66cbcc358d4aba2396e2abbc0fc2a233 |
| SHA1 | 78f855fd86d5ee3e4e0857fc59f0f196460b1353 |
| SHA256 | c30616610b8ff4c50213b70ab8eafc19c8156a20a96868ed63ea7a2672980d31 |
| SHA512 | e1d59f4a59ad5c092ae91c491532e18f9df0372a05eabee2d605fd415c5e94b6c25a74d427f6a29e60efd33be5440da36d5027ee0ef935ef4877ac27e6c8a0b4 |
memory/4816-219-0x000001F1F64C0000-0x000001F1F64C2000-memory.dmp
memory/4816-221-0x000001F1F7080000-0x000001F1F7082000-memory.dmp
memory/4816-225-0x000001F1F70C0000-0x000001F1F70C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2D6264AR\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
memory/2736-246-0x0000020157AA0000-0x0000020157AA1000-memory.dmp
memory/2736-245-0x0000020157A90000-0x0000020157A91000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\D9J1GOXY\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF905BE94D7D9FEC9B.TMP
| MD5 | d3cdb7663712ddb6ef5056c72fe69e86 |
| SHA1 | f08bf69934fb2b9ca0aba287c96abe145a69366c |
| SHA256 | 3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15 |
| SHA512 | c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812 |
memory/2736-287-0x0000020154000000-0x0000020154002000-memory.dmp
memory/2736-290-0x000002014FCF0000-0x000002014FCF1000-memory.dmp
memory/2736-294-0x000002014FCB0000-0x000002014FCB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe
| MD5 | 6525af1c2f2703af400bc06d43cbe6ca |
| SHA1 | a607cc602bed06b410f9ebe2f48a5b7fc6a2288f |
| SHA256 | 260d7ec67c731a751625ef18ea5d73b2423478310cda8581a31628d5764d8f2c |
| SHA512 | a64437574ac8ddacfc26106ca6ce90a99c96ff710f0f8c2dad6df6613fd1bc6ec5284b8e0c82d0c30a5c0db4cab1b090add88ed9dc81dab31dff6fb06ca787d7 |
C:\Users\Admin\AppData\Local\Temp\c5e2c4685b4d46d79e31f7fb6dcd8d04.exe
| MD5 | 9125279bee012f47dcbf23849116553f |
| SHA1 | d8208dd025237ecc897df2e6b151a51df1ab594d |
| SHA256 | e0c1e1aee89fd47a249107a8e387d402378c59458222510bea3356b29fa135e7 |
| SHA512 | e9113a6cea6ce9bbc24ae7191154f911150d70267b7e03aa0e0afab6d9a11763585dce8267f5557dda0833964e5282b6cc25aa636dd46569e9e5a1591d1ac073 |
memory/4308-306-0x00000000006A0000-0x0000000001A64000-memory.dmp
memory/4308-305-0x00007FFF99AB0000-0x00007FFF9A49C000-memory.dmp
memory/4308-307-0x00000000022F0000-0x0000000002300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe
| MD5 | 27092644ea7eb8095b916ad7b825bac8 |
| SHA1 | 776e97168680fa16bf741d07f202e22024fbcd14 |
| SHA256 | 247c794eb6da41670130500fb9bf3415261b328d1854cde52cee12b1e465dfd3 |
| SHA512 | e098628dee6b34869f6c3579fcb7f76387b5ad3fdacb1571db4592c44761c2865d75e2163925f31b8dd18e52c6af78c5afa2f5066d055eb4b472e305ccc955a6 |
C:\Users\Admin\AppData\Local\Temp\fe4b40b9e9824563b8ed53b9cd8692f6.exe
| MD5 | b899fdafb91296ffcc7ccbebd247b962 |
| SHA1 | ac5f3c3185660a8d730c9f1635402c960ae5a182 |
| SHA256 | e9dcefad91a8d500da841742779c751f21622c4da8916c7ce6790323d09eb793 |
| SHA512 | 25c2be2c051921c095972be266419cd9a7bdeaa52e5325224d33a73423b22c4538cc1b4947fa73bdc06eaae6185235e38e185d1958a152f74d0d6c2d50398adf |
memory/1756-313-0x0000000000400000-0x0000000000A31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ention.exe
| MD5 | 65650140d71d3fcbee8ace7975ab2ac6 |
| SHA1 | c2b59a21b1d7fe6b2232efaab3042b81e4909dc0 |
| SHA256 | e961caaa4f22b6f9a86c4e72b529861fb8a5a6b55d4bd2e64c005be4b007eeaa |
| SHA512 | 7fa41420b772811c812a2847c9bcbccc10765e9ee2b4a8d66805ec9c3ae484f29b0c1425bb4d0969c80933e5ae0d0537bca33e5ea166ededb701bc7af5d037c8 |
C:\Users\Admin\AppData\Local\Temp\Ention.exe
| MD5 | 243e16c6808e43afab5d73b6a162c655 |
| SHA1 | ee2ff71920e319532a78373202f0b3af92b45b9c |
| SHA256 | 6dd4243a47c027a7a23bc43bc769f611b515bae40ccc2085c3f7c976161134fc |
| SHA512 | 1ea224be471430932c07d4fbcc19736e93c6a2d8986ca696dcc79fe7313a17b69ae2e616d5bca9dba256bf5ec555d7e335568e92080ab8502dc8b6bd638a488e |
C:\Users\Admin\AppData\Local\Temp\Locker.exe
| MD5 | a83185ef7c03bfe0e0fbe10098876a34 |
| SHA1 | b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d |
| SHA256 | 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be |
| SHA512 | 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c |
C:\Users\Admin\AppData\Local\Temp\Locker.exe
| MD5 | 2375b71469b2761f181f4e1bfd1f2463 |
| SHA1 | 0434f0d281498db73fdb76891525cc0f1ea142cc |
| SHA256 | 374eab1c5abd8dbab74f74d53c4066257642d485f7508d1f549b7a6a85fff3d2 |
| SHA512 | 3475d0d999a3841a4e72aa936f5cbbfbc5324b21dfda8cba5647c480a85aeddadbb3665c2713c0bcafe95fadb63276c5154eddbcb6c9d4e2218a188a70d4a0c2 |
memory/1792-325-0x0000000000400000-0x000000000075A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt
| MD5 | e7cf6700045181cb6889772d0d915586 |
| SHA1 | ec2478210baee9d7e7ac72d43b66ce642ffc4147 |
| SHA256 | 3f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed |
| SHA512 | 79f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352 |
\??\f:\Client.exe
| MD5 | a85056ecfbf94af8efaa2e9dcec8ebb1 |
| SHA1 | f081275fbbdddad10689e185a750e1fd1ca0d0e5 |
| SHA256 | e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955 |
| SHA512 | c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9 |
C:\Users\Admin\AppData\Local\Temp\autDD9.tmp
| MD5 | 7c30424c525cb64760083e066ca1f77d |
| SHA1 | 69c369028e3db4fe5c2fbc69cbd837d66496c480 |
| SHA256 | b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643 |
| SHA512 | 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df |
memory/4308-454-0x00007FFF99AB0000-0x00007FFF9A49C000-memory.dmp
memory/4308-455-0x00000000022F0000-0x0000000002300000-memory.dmp
C:\startup.exe
| MD5 | 12b162b0c010fcc23fa43b03cbb76509 |
| SHA1 | a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00 |
| SHA256 | 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180 |
| SHA512 | f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4 |
memory/4308-595-0x00000000022F0000-0x0000000002300000-memory.dmp
C:\backg.jpg
| MD5 | aa8212e3f48d35711f219cd9bf1265ab |
| SHA1 | a3b17cc5311f23cc2db204f5b7081cd7d170094d |
| SHA256 | ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200 |
| SHA512 | 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
| MD5 | 07633ba66f1d47a46791dd4e31dc205f |
| SHA1 | 5a6096eb2122cd089dd5c2c20d02079631e074d7 |
| SHA256 | cbd11c45f80a45a7219c0590b04185250e1a9b898d9b905837808855c785431b |
| SHA512 | fbb026281e5bb96ac2615747a9d8e942fe73e01f5390b4f43aad425beeb854957691e9b90c2068d6e99b2d6189c5637e4ecb05791f1017580f2af1fb08283505 |
C:\Users\Admin\Desktop\Lock.WaitClose.cr2
| MD5 | 15fc1622619d91665093a3d6118e74d8 |
| SHA1 | 5c0f3aa523e9165ae5211267fa0232870f745266 |
| SHA256 | 1ba900246964cc9e9325dc33f28a403b0cdf38354e69d781c13a8b26c2273164 |
| SHA512 | d6bde6b6baa6de983d69a568979b9f238c6c6968c54cb10719e8dbe2ef3e2dffc1ed8ab3c9ed464b0953bb780c8f9cb324c3262f4b49dc83d8064715f2b205b1 |
C:\Users\Admin\Desktop\Lock.DisconnectPublish.tif
| MD5 | 449fd8034efe151cf738eae0116333bb |
| SHA1 | b2703d07c5aee7039269db6e358477ce1c221881 |
| SHA256 | fee060d593815cb8e4541715ecfa56e36fef2440f64fbe48addc9edbdf256292 |
| SHA512 | df97a83285541e03b1d41c1f08fcc9172dcf772cbdc3d4389ed44bccb646b7e27958d925f7db87927ad064f2c5e9fa7d12018e0b0c61125461c64495ba5c6839 |
memory/4388-616-0x0000000002F70000-0x0000000002F71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS2.jpg
| MD5 | cca27415b786d200913522217acf8522 |
| SHA1 | be4cb7f3d444f6a715a6868243810181fb1eb1de |
| SHA256 | 2f18ae84098647ccba038f6a3da82b03b1b43e1f035f4a6d583c63f10d0a40c7 |
| SHA512 | b9ead104aaac9da740cbd333fa7afc68148db77cfb56645d5793f91ce4e61d7e42a0f720698eb706efd2a8ee97b7189b8bbe26f6cb3a2470c2a5fdd88af4c3d7 |
C:\Users\Admin\Desktop\Lock.CompareWatch.docx
| MD5 | 47a9ddce20b4056df9918356f730b743 |
| SHA1 | d0d341ff41a956df550744ae7c3619f83851093f |
| SHA256 | 90a8e8573bdac723d41dece7e6f51a27d1a39a72cbe6ec8cf6ab5186c7919734 |
| SHA512 | a60c0038552da7daaf86774ce30a736b44b7410356fa188a41afca9d5bfe4611272e75760c31b3b95930491bf58e02fa573c79a2df5c79d78bfc4117e9c9cdd3 |
C:\Users\Admin\Desktop\Lock.ConnectStart.contact
| MD5 | 870af7ea0ec96db43f5d53191f419d3c |
| SHA1 | 04e24b224a8750b3735b4520a5922bd399f21d99 |
| SHA256 | f2c666b2eba1d10dcbb790e7b7fbf6433f65122be0a1744755e74eacc4a762b6 |
| SHA512 | 02cf8f74551c1c3d3f4f5417988f13b5aab1bdbd145d1299ef1b6daa03a4d772f8556be4a59c7753b464f1d0358febdfe109a7d1bcb875ccbd55b4a297e84853 |
memory/4592-628-0x0000027DD4340000-0x0000027DD4360000-memory.dmp
C:\Users\Admin\Desktop\Lock.FindHide.eprtx
| MD5 | b74e48e141896371403cb0ea648fdd90 |
| SHA1 | 493feca04039c3d667be93ef6fb42dbea4c07cb0 |
| SHA256 | 3784c78f25f26f9fec7a50a5c59eea24af4abf2902a3bb635aecdf835e0769b6 |
| SHA512 | 9aa9c4276c8f74030f19528dbbbd611fe3686c067f05f4ccf2096f0b7ba7583743bb49a37362dc3ac56c2e8f12e53859ae6cf49f2b34e9c1f01eec4884dfb4e1 |
memory/4592-632-0x0000027DD4670000-0x0000027DD4690000-memory.dmp
C:\Users\Admin\Desktop\Lock.GroupRead.mpeg
| MD5 | de451bae4bf2925f4ad8c2f6e8798aab |
| SHA1 | 6f0134ea859cce7b39df7b354c02da707d296125 |
| SHA256 | 7e834da22de1cca1a362b9ebea552c8927d5aa0bc8b2b6b1dd07c878e145febf |
| SHA512 | dac930e033e8285b78f13ce70f58b047fb5cc52dac593aeaf0655c9030e2bb7e2e7622f4876663c9f58832bfed6d61c5f08697c7c8ebd15c0c7bb4705dc760cd |
C:\Users\Admin\Desktop\Lock.InitializeUndo.fon
| MD5 | 7c77c093e8f2dc4b9cddf6d7b8f53343 |
| SHA1 | e72c7523a4dc5fbf4628f62d4e16bdd610556828 |
| SHA256 | 53091f434fd8d4e8d31377927f3e4b261da5a02377380dc0d944f3c12f57a38d |
| SHA512 | 40555c63da9ab8c34a5cfdce848cd4deaae9540d1a69144039a26d50a3c7c13dd43f8ecba0bb06d1274f0e2063ae1ebd6b15f1da899e599e84c6a06754f035b2 |
C:\Users\Admin\Desktop\Lock.MeasurePublish.mpeg
| MD5 | 487675bd5cdee2a16bd7d89f7397468f |
| SHA1 | e42c8db130e78bcc7e270aad06f6c4ae9b2138fb |
| SHA256 | b97562b6b6432edc1f257513e1d029a4013610f89f9a0d4a037fa42d80aa00e5 |
| SHA512 | df6792913ff2b2ce50f96ae8567ddb0c80ce301473cb5d0cf15d09e5dee8062b914c0ca694a855f59ac11456a5e19e38660031c2c1b1cd04f95f4026e516bea9 |
C:\Users\Admin\Desktop\Lock.RequestStart.potx
| MD5 | 6cc90535e31ae105b7aed16333cfd3de |
| SHA1 | dd4a1d4030a5972a4442935520585c0df2b4c72c |
| SHA256 | 01b9254f0c0a829d05998591ba163606f269fba3c045a7d7b82d00e39f3395c4 |
| SHA512 | 159805e61b21246ca82f8dbd032450ee4f15866b58f6d3f25a441f5785a28ebc978e1e2e7c1dc5a3929b5d7473440666bf74bb7f11bf40cbedf594fb9d25e4eb |
C:\Users\Admin\Desktop\Lock.ResizeEnable.dwfx
| MD5 | 7519cf78722f8e4a58ca95278a09d2e2 |
| SHA1 | 1f869e95694e604b8a9d03f7c9a959803f5eefc7 |
| SHA256 | 28f1671b83f0b53e3f55e2bfb0d263cd52a8c7200c566bd4f393ac070552959d |
| SHA512 | 4c0249e0076fcbe9a4cbcd9356b2489f5195ed69d7ef29d2cd9c5898d74f8a425c7292f87c6150e958fbad97f461b04c7866b4ea5c27cb96314928ad4cda26c5 |
C:\Users\Admin\Desktop\Lock.ResolveRevoke.M2T
| MD5 | 9957aeb1a2cf97f350cf6801cb8586a1 |
| SHA1 | bc98909794e94365aee92a5d3d41401337d2e7c7 |
| SHA256 | 2fa53e32b9dcd857ecd7bc4a56dadf1daaec0f8695d8cbb44c2fae0be36e1e55 |
| SHA512 | f60daf9c19910eb4e4d40ef23ab6f8a3eb32f186c95708e176c2bf560068bbe27ce9cab1a52f9c9624bd8e16a969d4ee94cd7dbdf2d76fb9f15232a3e67c503b |
C:\Users\Admin\Desktop\Lock.RestartTrace.jpe
| MD5 | f525565d82485fd6448e059a2179eec0 |
| SHA1 | 7e68252c3e8753b65ba2d96c71116070605c34a8 |
| SHA256 | d6ac55cf8286bb9ca6b1c3e2bdc9f2fb80e3fcc9ed8deebfc6d6ad5184380ef8 |
| SHA512 | b51fbffc6aa6882a7148f151b2fb780f44cea23060a92716fc523d7e4ee0a93ab334885770c34408b41159ffad22aec25aecfe5dd95c05b8f5846559ceb45e97 |
C:\Users\Admin\Desktop\Lock.SelectPing.wmv
| MD5 | 2a9893f2d43b0770b75e177fb28f3a6b |
| SHA1 | 5ee0f4cfdc18ac4b83464def1a9b6946af58ee50 |
| SHA256 | 154171db589c7720f8db73d9179c1f307699ac124087b5570195ebd0bb16879a |
| SHA512 | 7ea2ca122f9a0cc410bc974c405d0ad91963ef17ef29a7f8892f7f682182ff3fe4ef5deb6dcbf55f8bfca1e3029e650cf8a654e45159713dfc6670072ad863fa |
C:\Users\Admin\Desktop\Lock.SendMerge.TTS
| MD5 | 42265e938eca720bab84d60678c96207 |
| SHA1 | 041e094ed70b63e7d60134d0edf6493abf3e11e4 |
| SHA256 | 7d08b8772e346e0c24935b4d45495c0783d636556deec25e48b5a1606d52bec8 |
| SHA512 | 081035eb72585c30c653135a462ad4e74db24f044b4112eef10fb91d270366d23d75cd6eb832eee2912c49567b6dd1a4a774a36d952afc99c692026f0712f073 |
C:\Users\Admin\Desktop\Lock.UndoExit.jtx
| MD5 | 9f8a06f8793aa414be45a186c6b2a723 |
| SHA1 | d509e62c5ac1af41bb4786c2b86a97233484518e |
| SHA256 | 2a61d6968632f1e77f8a0ae805120d04caf5e02670cdcfd097163aa254c4076a |
| SHA512 | b442cff7c9731eb5ec7dc8199b965b0cb086758feff6e6a650c284083d532af4a48b9c53cd598edeb95cc092597c42701c946d71b1ac17863d92bc37917e0578 |
C:\obama_icon.ico
| MD5 | f89f675153effeea979e32716d1dcac8 |
| SHA1 | 84780277f79505ccf920d13391726741e127a79d |
| SHA256 | 99232a1b8d11825ccdc89ad8a9e095c6a1c36731836c17207ec5f45cfc0270f7 |
| SHA512 | 8c447c5a226a127cb671eac033bc7db370a5dd47aeed7e46fcbd112684bcbff300827292c8bd87aee6f21bff887c4c04b7620b3bc22a3b6bd3b6843678083fff |
memory/4308-755-0x00000000022F0000-0x0000000002300000-memory.dmp
C:\skream_icon.ico
| MD5 | 21a8888b16b257c094fd38d09612fc48 |
| SHA1 | 9ce7e89da63c663987c9624a845144a4fecc3e72 |
| SHA256 | e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4 |
| SHA512 | cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2 |
C:\the_wok_icon.ico
| MD5 | 8e1462f2d993e1bd6fd00268623abece |
| SHA1 | 67367e20f64d32ab8d1840dedd91d686ac989952 |
| SHA256 | ac084f24272a89b616e21add98739a7c4dc55830e6c7ac8fff74a9d495eef4c5 |
| SHA512 | 9184a8a87c2b5ec222df4d51a940977b2ec784c634ca66e5d11a46d35ef1a38162b6e1090e1df364eaef3fc1313a39a989a803c2ace603e90fb4473ec9105ace |
C:\ustupid_icon.ico
| MD5 | 6e3e6e1a0f01c0168c7b1fcb4e63a89d |
| SHA1 | 785688b7caa8f28583e417a651517b721405d835 |
| SHA256 | b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634 |
| SHA512 | d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99 |
C:\walt_icon.ico
| MD5 | fa516d1d0fce7db4dfa81e73cf74e917 |
| SHA1 | ecbb4b0ab88b6c7574279693bda9a7cfd0a2d9c0 |
| SHA256 | 335b92e10ea035e1061ab8d44d02472d2db80a838eae63900b9d02ab9483c4af |
| SHA512 | f9adda2c53121fbe6a0c42582f2af6d19dc8225f9422a2163210153bd5bc458cd4fadb1d97085fadc658b45557ddc3650ca96d68764241a153c70b68569dec8f |
C:\xina_icon.ico
| MD5 | 0f111a8457f17592240624b2e80a6c61 |
| SHA1 | 23b009e988c3a95d9e8ac97e9baf2979dda3211d |
| SHA256 | 8d49d92735d094885cbb57a63988e6205b5a477f2a571aff2f1e8d295f3d8e2f |
| SHA512 | 4e14e5e9c834723a23d3982fa2c5223eb0ac09403bc5cde638733c2a96dc28f820f76b6614e444b5a2aef3fb9f53c6e8f1fffd265ae7bb0af0c372aa7f548bfe |
C:\theme.wav
| MD5 | e4f642067670a4001d31ffb18f481f96 |
| SHA1 | 538336f1beed8f74a0913454265cbcce4822c4e4 |
| SHA256 | 5b41d14436cdd8e5467be6a1705daa108c428176c9fa4f9c74bd88cd4b703960 |
| SHA512 | 5b7e27540c1bcd579d633597de005b7cb6a91f2dc8a6849c23b16a1fcc942688cd59ef0b0422a2832a2c84b6517e9debd87c5a1e9a57521837dc1c18ffe4a59c |
C:\guy_icon.ico
| MD5 | caf2b6d49aae9303b222fdd06b91f10a |
| SHA1 | 12b967bd3aafa465c228551a7cb2d70f8b9f972e |
| SHA256 | 2b670bfb2029e8f023f13180780c648f606bb91fd5854e45e08c27bad2f4e1b8 |
| SHA512 | 0eb51b3e222c4843fb3d79bddfd04faf41135845f1d20a320be84f076289be9890624cb34b73bf4093b2ddbb8d48ff409deeec5aaf3b10216204a24da4c2f92d |
C:\rock_eyebrow_icon.ico
| MD5 | 56afb11ebd7367af4c03b065ef3580f3 |
| SHA1 | 4f30fbf3d5c0469533c1b33b98aa612e6704c14b |
| SHA256 | da6e60fa7d074a5b8a90e3ebe53ed1c01661423ec0ec1ff154857bcef14ecff7 |
| SHA512 | eef0e1be7dfde83f546d36f41a6339ce17d5c7153da3f3d003838c333884458697b2d156abf9c119f4786d4d53f08563b79d17c0c3e316dabfa519db145e32c4 |
C:\avocado_icon.ico
| MD5 | 6d362a3e515cc18d537f74fca1f75293 |
| SHA1 | 99a5b363ac274e027530fa7a532a007b0e6c56f3 |
| SHA256 | c87dc1a91720070afe96d3be716d6203540da4d08e9d2339967a8a2a6a521d42 |
| SHA512 | 896ac439ff7ff58b33413fd978bee25afffd9f4b2a8183ad63db861b92c7118bad0b845ccd85390c8b8a76ba57f6a6fb7d0ad3970bdb0a28fb9f2ed718979821 |
C:\speedrunner_icon.ico
| MD5 | a0bd05bdf6641d55fff217fc45b6e7a4 |
| SHA1 | 9c4f824bda8ec17d0c23fbe50cd8f6c55d5784e3 |
| SHA256 | c34b87c2f0454d80f7b1989e80eb5b6ca04052c16f94ce294f15a0053cc76ce2 |
| SHA512 | bdecd28c096925852936f0aa96a406596a3d60bbff51ac1e12d9241f4c7552630bf12aeb73cfed8cf8afc916cad90d4e6d23e5eafea6e14f73b73ced4992bad3 |
C:\ben_icon.ico
| MD5 | 35ed09899d21d2f9806e5c4eb1411324 |
| SHA1 | 5afa7972868a84f4e49d65f149aa09dda07870d2 |
| SHA256 | 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3 |
| SHA512 | 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820 |
C:\dad_icon.ico
| MD5 | 8883262af502c220932bbc50979391ca |
| SHA1 | 0be9ff95e86e798493f5f067a6dd3ddec9ed6832 |
| SHA256 | f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6 |
| SHA512 | ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076 |
C:\whenimpostaissus_icon.ico
| MD5 | 57a21de76111fd67dd32bbf5b8cbbe8f |
| SHA1 | 127d6c20da0234ac8bc9dd65391fcfd695185274 |
| SHA256 | 8a5f22591d81c5ce727cab12fa380c3331fd9a3118a69667bd21b8ed9d6bb96f |
| SHA512 | 4177b17475c7dff84fa577077d844e27af7d8dafba7f6beacc1b45174d4df2ae88f242529dfbd5f6e5b80bbc5ceb949ba0fcd2c3c7065dcf32226b0e9da85629 |
C:\amogus_icon.ico
| MD5 | 43042269818924374a29891d79cb676b |
| SHA1 | f34ef8a688e15efa9c0117816a617892a2730bb8 |
| SHA256 | 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187 |
| SHA512 | 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31 |
C:\Users\Admin\Documents\Lock.Are.docx
| MD5 | 4d3e6bbe44de5513c1733b3e0c6eac64 |
| SHA1 | cd3a00fc52b12f900bd4a87482d28021e2787265 |
| SHA256 | ce28015b2b93deed2c7569c325e811aa9a0eef29070ae6f73e59dbdee7009fc8 |
| SHA512 | 11c128b5a2dfc97a57c5cb49ad31841179344bd3179db15c71f0a3bf11cb61101d1bbc2e125baa8532f383360198c7843d01e8dd63c3b2340d77351db8ad419d |
C:\Users\Admin\Desktop\Lock.UpdateInstall.odt
| MD5 | 74719d5073111f82434d0a6e91866621 |
| SHA1 | 87b146eb1b0067d148787c0de5df5a6d3f36ab4e |
| SHA256 | f83119e6dc36294fae8c33829dd7e1c2168ab9f77246cd69cb3a4b661365d0ba |
| SHA512 | cebb9ca5333fc7ed058ea32d9b133ba611e8e756ff2f781bf979e177e3930fdc52f75a02c8434e2b5f41fe484da17a57bc40a279929dbb15da9b0afbdceb9ed4 |
C:\Users\Admin\Desktop\Lock.UnlockSkip.hta
| MD5 | d6709da0420ab102b0da82ce44eaedd0 |
| SHA1 | 602fda0d9c203c97871b3040cca417beb75ed98a |
| SHA256 | 61532c2c36f93a44a2e5cf8c4649839a1fbb1659c443a9df4fffb29f3fbc707e |
| SHA512 | 4eda62f216b3361c00924ca63e594642e87de0f11bcc00820fc9b684cb63b2184b87d14e95881835bada98c2f9b8ebf6463f60f20b007f73d07e70066b131073 |
C:\Users\Admin\Desktop\Lock.UnlockReceive.asx
| MD5 | ed3ab00113151514fc3dfc78d907611d |
| SHA1 | 4748e09d287014271604868bec8352f5f87ca831 |
| SHA256 | 71e6da70a8514a31837f1ebf14c54b1ca52219a67e6f5dc42a2bdf35f92190c8 |
| SHA512 | d94d0de1c3ab8fb60057f0163ce54236f0ea79d90001a75c9fffa920df07a8f495f8a3f3e0bc0022452b7b3397cf0a23cc24d7f324ebbbae2323d29d04a115d4 |
C:\Users\Admin\Desktop\Lock.StartFormat.reg
| MD5 | ce1486427a77f3cd80d7a3a6bdb9bf70 |
| SHA1 | 44c37553ec93d34de1bffcca616f79595077ecf0 |
| SHA256 | eb9951b35952c025150e1f6d93c17b43e85dd7ed4c255586ff638c843427ca39 |
| SHA512 | 1146b1acc0a1703e558ab4b547090b7b5d86dc1803f63130a9661ffe618671e99c003eb6aee94462d50a8719f3bf1e5659d2aa896054fd9ad8324368153565e5 |
C:\Users\Admin\Desktop\Lock.ShowUndo.snd
| MD5 | 72dcba71836be0db3375351ee14addb5 |
| SHA1 | 0d7a27c654654f7280990b6d86df3de5cb82ab5d |
| SHA256 | 292fb5d8e6a929a75a3f9f3567443fee3e16cea13682933f2e77a2a28871db4b |
| SHA512 | 8b81bb4a680b344932cce8f821b6f2aa933f760d6bdc1ff08357e054c25e440ec28fcbcf6e05310a5e341f15214e4008deae1becaf982b4145bc2048c87d3d5e |
C:\Users\Admin\Desktop\Lock.RenameUnprotect.hta
| MD5 | ff7bfc3c429b924bf35d4e8eff17593e |
| SHA1 | c41fbdf7380421dfde4bcad416727e2696e9d1fa |
| SHA256 | e03dc6785b36e8de78641684d75f3e186f895941bc3b864ee21ef6ab56caaffe |
| SHA512 | 2ece92cf32ec6290663f66aa4a4314b1bf6ab1674f26191c718d8687f679df77330b29f70ab51724c72c1e02f44ce610938fd2e67f6ad73ca1f675287449f50a |
C:\Users\Admin\Desktop\Lock.ReadSwitch.xht
| MD5 | a97330fc33edfd1ae4d88347956c06af |
| SHA1 | 0d0ce772df0e9539fa524360bf0905ebff02fa02 |
| SHA256 | 1661eac8c7dd045c541614ca4f4d1b2db62302634e1489a8c91249755d14dba5 |
| SHA512 | ec80ca61c6eff47f98d5fafc6c9c1f5e7b471e8b1279e9fa3627a285cb1533195ff38a53066e635bf781a493403b3b06527251193566463a7d2e20238980dc05 |
C:\Users\Admin\Desktop\Lock.InstallEnable.search-ms
| MD5 | 54ba53aa3f85b8512c47a7d6dcc71728 |
| SHA1 | 041b21a04311a95728650be7bac68f2ac1021218 |
| SHA256 | bd18f7e68e27d9f5a083cde58c8f33eb2fb286b88eb9e9d98d63f00c9fc2c604 |
| SHA512 | 440c5807c6f661b3ebe22c2b1ace4f8f5cae731d8eee44bbf91db4c97650d0e40517391d918e4965f04fab3b7953f8a2a8257506425f6dacbd319668e3d35d07 |
C:\Users\Admin\Desktop\Lock.GroupExit.ogg
| MD5 | 9da2d454d1d5e9a6422fb9667737adf0 |
| SHA1 | 383b496c833de9b6a184dc66a7928c114d575f05 |
| SHA256 | 366ca92becb70660c1c016b616514a4f0f383d0d7cefea5a6823a34f1bd4b9db |
| SHA512 | 39b80ef268605ee60002923e6aba740a616c08ab75fdf7ef75300bc8438acf66d85ad21d26b6cb5310726f5539f7c5086373e2bf09a8c0ea9ec6bb6a54996863 |
C:\Users\Admin\Desktop\Lock.desktop.ini
| MD5 | ba41cfaa9aff58c3b40c7ac73b4d1cd4 |
| SHA1 | 691f19d9330522a47b16c832c6d6b51a3a2efc72 |
| SHA256 | 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a |
| SHA512 | 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e |
C:\Users\Admin\Desktop\Lock.AddShow.temp
| MD5 | 3cf6baa8e347ac0d61125d0d290e2db9 |
| SHA1 | 590123b897f9e9c16d74027a24acb60624701338 |
| SHA256 | 539b57b96a11f22963edc81730d9ddef8b6591ebaf9462418e36f4e85e87f5a0 |
| SHA512 | e29ccde6a1248f863b288d1212069fd2a3ef7de455a1aaa9e69edf94d8e4d7c7b933555352110cc8949996af3d1f962391459decc01516e601bd4863a2d94b8a |
memory/4308-874-0x00007FFF99AB0000-0x00007FFF9A49C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/372-896-0x0000000008530000-0x0000000008540000-memory.dmp
memory/372-898-0x0000000008530000-0x0000000008540000-memory.dmp
memory/372-900-0x0000000008530000-0x0000000008540000-memory.dmp
memory/372-902-0x0000000008530000-0x0000000008540000-memory.dmp
memory/372-899-0x0000000008530000-0x0000000008540000-memory.dmp
memory/372-903-0x0000000008530000-0x0000000008540000-memory.dmp
memory/372-906-0x0000000008530000-0x0000000008540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 6a7f1f684523639a1abeef520ed75034 |
| SHA1 | d04adc28ab2656a7feaa737744e81a4f5d5cfbcb |
| SHA256 | b0631f999f4255aaf8169eaa6d6116ce805465aa5419fdf2013a0c4a6d0ff96a |
| SHA512 | e04e6236936202c5f49131c37e1a83d9f348908fd244bbfbdb78c143a4da9c2141220eaae834bc5aef86f0bd66863d93f5818ac44cc7c032749bdafa2815c5e5 |
memory/4172-931-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/4172-934-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/4172-936-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/4172-939-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/4172-941-0x0000000005D00000-0x0000000005D10000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-24 04:26
Reported
2024-02-24 04:56
Platform
win10v2004-20240221-en
Max time kernel
1467s
Max time network
1457s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JOKE.exe\" .." | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" | C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg" | C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JOKE.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JOKE.exe
"C:\Users\Admin\AppData\Local\Temp\JOKE.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8 0x3c8
C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe
"C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe"
C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe
"C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe"
C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe
"C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83AB.tmp\83AC.tmp\83AD.bat C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/lFwy2c-5Rwg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffafd2646f8,0x7ffafd264708,0x7ffafd264718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12698391149725913272,7388856204132661249,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.156.13.209:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 209.13.156.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| DE | 18.156.13.209:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.157.68.73:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 73.68.157.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.157.68.73:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.192.93.86:15217 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 86.93.192.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | youtu.be | udp |
| GB | 172.217.16.238:443 | youtu.be | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | rr1---sn-1gi7znes.googlevideo.com | udp |
| GB | 216.58.213.22:443 | i.ytimg.com | tcp |
| CH | 173.194.160.70:443 | rr1---sn-1gi7znes.googlevideo.com | tcp |
| CH | 173.194.160.70:443 | rr1---sn-1gi7znes.googlevideo.com | tcp |
| GB | 216.58.213.22:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.160.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| NL | 108.177.119.84:443 | accounts.google.com | tcp |
| GB | 142.250.178.10:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.178.10:443 | jnn-pa.googleapis.com | udp |
| NL | 108.177.119.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.119.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr2---sn-q4fl6n6s.googlevideo.com | udp |
| US | 74.125.3.103:443 | rr2---sn-q4fl6n6s.googlevideo.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 172.217.16.225:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | 103.3.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.238:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
Files
memory/5112-0-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/5112-1-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/5112-2-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/5112-8-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/5112-9-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/5112-10-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/5112-11-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/5112-12-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/5112-13-0x00000000017D0000-0x00000000017E0000-memory.dmp
memory/5112-14-0x00000000017D0000-0x00000000017E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_459522CFAB1749B8BEE0B90DAE653167.dat
| MD5 | 44b87076e98f4eda3393f800003787a8 |
| SHA1 | d27f203558974c8e81f6dea44f88742ba4f09937 |
| SHA256 | d251eca60f8583f9290a0dbab26fc1975a46004b07ae7665f3de19676c9085cf |
| SHA512 | 65e549b413238ea596f7cb1fceba84d5ffdeaae4d390f46405ab9d19b446b8fa8ff5966214731d8815bf7e91478bf3d5c28d76f41322a50fd83bdce099b3b5cd |
C:\Users\Admin\AppData\Local\Temp\af7ce5780eb74c64bab60dea864e29b0.exe
| MD5 | a83185ef7c03bfe0e0fbe10098876a34 |
| SHA1 | b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d |
| SHA256 | 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be |
| SHA512 | 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c |
\??\f:\Client.exe
| MD5 | a85056ecfbf94af8efaa2e9dcec8ebb1 |
| SHA1 | f081275fbbdddad10689e185a750e1fd1ca0d0e5 |
| SHA256 | e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955 |
| SHA512 | c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9 |
C:\Users\Admin\AppData\Local\Temp\autC7FC.tmp
| MD5 | 7c30424c525cb64760083e066ca1f77d |
| SHA1 | 69c369028e3db4fe5c2fbc69cbd837d66496c480 |
| SHA256 | b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643 |
| SHA512 | 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df |
C:\Users\Admin\AppData\Local\Temp\9a20820f7ae74f2a85de829e243f8c85.exe
| MD5 | c29e84272de123ac2cae92bf8210d95b |
| SHA1 | 1b60b8f5430707ca08d806e5739553cd6cfccf89 |
| SHA256 | 42c145d05f5a3d20a4df748d488e32f986ef0bbd370dd086b6f431e00a5efb14 |
| SHA512 | 055aebf709f23647783f034913fd61721649ceddcc1357b4bd34ecd446b059f27c57a16392943000d7f2152cdec51043d11910fae1dd002f043f300d9724ee6e |
C:\Users\Admin\AppData\Local\Temp\8x8x8
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\Lock.BlockDisable.3gpp
| MD5 | 670ce5c4194d87a121da131c94358a4f |
| SHA1 | 31cf54a5879cd4f379e8d0b2ba73632d3ba2d50d |
| SHA256 | 79c98dc33dab24dd6e2a542bf4e4bc79d4932de2b45d40c197b2dbcf813cc35a |
| SHA512 | f2f56dc49224f9f5a67db7061b1a5a02a996303efa5c1c760a7b4151e9db64614ea651dc1c64c8bff2a367f7888492554a9cf2f07b99e78ffe0ec6f9b5d44de8 |
C:\Users\Admin\Desktop\Lock.CheckpointResume.M2TS
| MD5 | ae316fb88b863c54a29b0e15f6b5662b |
| SHA1 | d5e94a9b252ce49069323abd08b8b5bbe9975b9c |
| SHA256 | 9a892f18339dbbaa0e13ad1dde72069dc799e6cbfa7fe7875c4649cfaef0fdf5 |
| SHA512 | 4c544a5b3a5613dc1f5b7947b9e64c080e055a954dda845dd5d0b29122e233808329ce949559961d3cb316549b905fc68206b499ab1096d30db284f31712923f |
C:\Users\Admin\Desktop\Lock.ConvertDisable.rtf
| MD5 | 25ebc43b01f8fc8a8ec7f1204cfbbe5b |
| SHA1 | 61b5c8bc88c0a9635e4efabebeef7a7cabafeb00 |
| SHA256 | 2018eaf0ff87a5eb0f131736fb190d30f36175b5b3a8bdba0be32fee14fdcf83 |
| SHA512 | bf0ee465bb9f60676ef9ef7c68ee53f315e01b6b4a9a4cabbc431c894e3f4c59459b41f664f316230c27462212da4a749bd43b634e56f55f5c2a41481b111bab |
C:\Users\Admin\Desktop\Lock.EnableJoin.vb
| MD5 | 2cf2f59713820c90fa1f7754ce5d7d5d |
| SHA1 | 352385b66908d1487ab618cf978382c47c9cae7b |
| SHA256 | 1dc2776011f24bb4b7b73175a124dd219276993746865b6b597098d60a1b26a4 |
| SHA512 | 83e0323bcde52c1e869d8348c1d93de2ddaa774b656719b1303445d6792a68ca6502294fe2a046694f9203853a092751f290e6174ad5248e0556848f649a96c5 |
C:\Users\Admin\Desktop\Lock.desktop.ini
| MD5 | ba41cfaa9aff58c3b40c7ac73b4d1cd4 |
| SHA1 | 691f19d9330522a47b16c832c6d6b51a3a2efc72 |
| SHA256 | 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a |
| SHA512 | 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e |
C:\Users\Admin\Desktop\Lock.ExitWait.jpg
| MD5 | 8c6e4a130490884531ba75b7bceab2d4 |
| SHA1 | d75228e8078f78589b6135695be4d4daf11ae214 |
| SHA256 | b3282350b4e22b2945278ebfe4bcb43c6d30919d9ff112448db042d7dbfdc2ae |
| SHA512 | 43fb43e7b073de89cb210ff50257024e9798c778c75f6bca2c284a0406913d1f1c7b4322f4f3a30fb42db61e9448c53956d556b0ca5eab8d85c3d8f4d4c1f3ce |
C:\Users\Admin\Desktop\Lock.EnterShow.htm
| MD5 | 779e919f02e5aaa87da21602809c398b |
| SHA1 | 0233e9db3bafc83328bf486dfb404c0c55e3c31a |
| SHA256 | 27c4265036f936110ecc6d7be19656b708728eb1751bdb4d7c1e9fc1d601abd8 |
| SHA512 | dc9eae7db3eaa62e16c176e9f17d6394ac887ec10e0f8eb12f4855dfcd729627b5789a28c9f7f10bac5e23b99b3b4037f1fb5a84cd75072789d859dcfbe3b363 |
C:\Users\Admin\Desktop\Lock.InstallSend.ex_
| MD5 | f5111f27b4cbf404f5c6536bc1d95fd2 |
| SHA1 | c353dd920ac873b3208f62da1715053d6dd9386d |
| SHA256 | 5819331f3f938e2a3660e892d8cab9f6a608c42c5f81120b5961aac3181213e4 |
| SHA512 | c3c739ca37a4923d828e5f7fbbf88ab6c1974bd49fa8eab08aeb08d87a8f6585734276ba51b0f85a2b7b2d9e51b223b76ce9a0b0f2e6dfff1a8853ad02ffe693 |
C:\Users\Admin\Desktop\Lock.InvokeJoin.dxf
| MD5 | 4df3abe315463a30290973be76fb21df |
| SHA1 | ec557364209deda25be76a76d39ed6602fc78e3c |
| SHA256 | be4c50325063d823c3bb7a0eae2ba97fcf715e3b29940dfd818a9ceaaa10bb6b |
| SHA512 | 0877e14b61c1b9328f52c2dea45754509057280c942796eece17881f70c2ca0ca794fb48333eef57b2b62198343b62791dd898e23758cec140abfa7f3b1a9f4c |
C:\Users\Admin\Desktop\Lock.LimitInvoke.dwfx
| MD5 | 13686eb144b2e83ebf4ce666f58caa6f |
| SHA1 | 81dab857f42f666750ac5f22e2ab479d3aa25e2d |
| SHA256 | 633a9d216ab944c184d72991e2b6b37d3c4bb01287fd35c72155b5c02d11496d |
| SHA512 | 75092ba7c4daaea299b798a84b7ead9185461a27f2f3314306e910361eb62674d73006318d9c6d90f00c0cb72bebf4cd253e9d6b246cbf36a29926049d0da724 |
C:\Users\Admin\Desktop\Lock.MergeInitialize.rtf
| MD5 | 05bebbfa268b3fffd856c60021293cb0 |
| SHA1 | 732b03919b19ed0f3f1287ad66f93a4184847031 |
| SHA256 | f303032b6012242787b672785c5df67b85d4e3c1a3791996f0252a7783d6d79c |
| SHA512 | 96953cbba7bba846a2e4da6819a6e54cd11a46e482f0e64f92d25ca72e98981160164e72442a5c78722faaba9009b4f52afbf1e8a698c4a490520ffdc7072e57 |
C:\Users\Admin\Desktop\Lock.MountInitialize.ADTS
| MD5 | 10e774d33b41b134558007f68c0a1f13 |
| SHA1 | 0edf654313cd4eca438a6ef3e26662189e48fabf |
| SHA256 | 19ffe4e3295187024c02e8d79a8db623a8dc3f1972054bb9b787ea4725340177 |
| SHA512 | 01da0f41c820aff2fdb9c1ca38dc5827be149ca8ec6be86ffc68be88d5cf8267adb3bcf18c84b5a941397e8856983f096952a9a06353ff520d3c1d262b920c3e |
C:\Users\Admin\Desktop\Lock.SaveHide.png
| MD5 | 3b12dc2b8f2fc1f192e7f820a7bad014 |
| SHA1 | cc49e98590315a3f4b0bc19d115a60f8c5eb58d4 |
| SHA256 | d61724e633feac5099e4ca4a728682697d6ac40764cad414e276f93bd6d6d51d |
| SHA512 | 3203edb10b0e70ffaa22712952bde28c3e7a39f09e820bfd5a1ffd061b9587c1a5db6324b5b8733ff1c41813aaeb8e7f4ddb0d5c07ac3a94cfd96b815014386c |
C:\Users\Admin\Desktop\Lock.OpenSwitch.js
| MD5 | 1872816f38ed9fc5cc81b66630d3e166 |
| SHA1 | b56c195fd326c50f73b9afae8612df630236a246 |
| SHA256 | 90df6c104bdc99cc417c1897a3474e17aea38d7b23121a2a8e3f77a5f108ef85 |
| SHA512 | 0165eadcfccc41985cf63f60cff365a0536f5b61558630b1c7e31ff87d3b831402d6679622ce0644e28165f3a8eb47eb024b1c097f7f2c85f272e1de8880b6a8 |
C:\Users\Admin\Desktop\Lock.UndoSwitch.au3
| MD5 | 7ff6e96db392fda219fe60ab85afa4a5 |
| SHA1 | d654981f6493fa2b2541b65ecd4731f96421f971 |
| SHA256 | 1de1c4f8ff019af1de36a5a89ca2f2722962bf7d661ff67570b9e8bca55df8fa |
| SHA512 | 3f3fa4eb6e3d0fad544fda8908b9a8785fa827cfb12a5ac75ef12f3c3954e4732bcec6e3aa561cade899dbff95bfb97aec85b066259abd3bebfc8da4554cad4e |
C:\Users\Admin\Desktop\Lock.UnprotectSwitch.avi
| MD5 | 20e48da4e87fca3be6f53f3e770a56d4 |
| SHA1 | c927a481278fec44c37c12ea1ec56aa0c5ad183c |
| SHA256 | 4e3a1316f36fd03d48c74d36107db5dcb12edfb6e44a800c1e03350d0d1b3065 |
| SHA512 | 862e1800e7730b1036e58cd692e08f5a9b125a351f19c73e22a5efa8ac4facc5bc7d17eb7832ed391fb88e59d4d2bc40a59136994d52360920f1f6b225c95e6d |
C:\Users\Admin\Desktop\Lock.UnregisterExpand.doc
| MD5 | 93bef71c4d5323f73d02956b9ffcdeab |
| SHA1 | 3d8a46b36d846dd3fbdaeff5af5f3e37c92488c2 |
| SHA256 | ede62e14b45cbca864a41faeaedc684911d220207d660dfb1cede8c26879505b |
| SHA512 | a39d8846b3aaa7f2381d3ffc0bc73248bb322d584a6f4c6d902248530b5ff2e87f889d0abe473c9a81cd3a2cbf0046f435c6ddb6adc9beb5c98db2b37fbffa11 |
C:\Users\Admin\Music\Lock.AssertClear.tiff
| MD5 | ce4181f7704f6587acc916d412310594 |
| SHA1 | 0b96c98ac284dd647f287f1713e8830eb7f77383 |
| SHA256 | 3769d6626332dcb313093b9d6d4c02eed7ec735e456b9317a85d66641a043696 |
| SHA512 | e2a56ff5f65d0afddf96c0c4cbe3c58e3e1b6c3533eb420803f9bad293f61fd1fd6528c8cd0f3dd065d555a6ee4b0495ed2222352df6e7cb6e837fdabba29d04 |
C:\Users\Admin\Desktop\Lock.WatchConnect.DVR-MS
| MD5 | cbd97ee42eb43c4ecab3daf8523d81d7 |
| SHA1 | 7a466c5202f59cea78a14ca9834e049fa722139c |
| SHA256 | 49c07abacc76819b319de36a42a5acf899380045e176d88dc6a769530450210c |
| SHA512 | c39c53e9bab188c9c38cf2fc319a49399c64c5fba4c301837d44568f192bbf44a5b338f09b6814a1d7e5b5dc1237267f373362b1757cc9fed8eb71f1983d5933 |
C:\Users\Admin\Music\Lock.CloseAssert.scf
| MD5 | 95e18724d3bcf477d57cfb90dbb159b6 |
| SHA1 | 1bfa67cc71ee4403afdf809dc050f9bba9e26993 |
| SHA256 | de48fbc0186f32b16a7cf7008d5e55110e005301eb2b761197c7acba8dc96cbe |
| SHA512 | 71586748185d2a15ac8be39602284182d6dd58b93db7a9804dca603ecb3a6caf4d7a684b87234ea846120ad756f1e6c7333b56ac4af552ca49760de7f59ba5b1 |
C:\Users\Admin\Music\Lock.DenyUnregister.shtml
| MD5 | bb5dc44b3ce2b78acc226129b3a0ae20 |
| SHA1 | ef9c74e219887916767c3c3f193877ea92af68b4 |
| SHA256 | 6852b8d34c5990444ea9897a9c394429fd629e7ca563432ce7703d378550f5f0 |
| SHA512 | 12dc871ed50fd6c55819f9b98ad62c919cd3c4863d2cf66ccb54b959e317b5516ecd62e4d890fb0bbc6999f4201b97304259e60816581858d86aa454664971c1 |
C:\Users\Admin\Music\Lock.RemoveConvertTo.nfo
| MD5 | 96b5a3678117daa1e8862134b892f5c6 |
| SHA1 | 0edc6d3aeff385c3ec6888c8e9a2a79962273446 |
| SHA256 | ba90d46df1469eab5793b8acc4a4d0fee2ea8a712b961bac35e313a7a553f920 |
| SHA512 | 3daa36dc5a63edb90438ce317372e17778ed1642fd07bab12f2fdd63e687c4fa8391396b98aea2e67a4da6c0f0b9c23c58f3c57207f07cac3b347b2816f4483d |
C:\Users\Admin\Music\Lock.SetImport.dwg
| MD5 | 59c04cad3316d960ebcc400b5c96843d |
| SHA1 | e5b6891bedc7a2ac7b1b6b9bcbb061edb005754f |
| SHA256 | 8eb88a3a7d0f55d627272b56d54e2648737a76e95cf4777ebcb7cea563df6909 |
| SHA512 | 9bd15882cbb64653372172b0fc16fa9ca8173f0ea82cdb65b230da55c982e357a6d87c0c22472de2dd1379d5bc7e14c3345e0e59f7acc1b0521adb209b89492f |
C:\Users\Admin\Music\Lock.ReceiveConfirm.zip
| MD5 | 17e177157508a2a2c2e6f8ce27a3d8a0 |
| SHA1 | bf6b4866c65dd6f4997ac180b9d95ddc89f47f80 |
| SHA256 | ed40a8ee9117bb8f503a2cb353a26d31758336204f42a67ace01acdff1fff36d |
| SHA512 | db1de8098e56cd7fbf66a345faca50c380fd04213648eee438aef70300515b7f2db076d555ef908077674e72ff054a50987d354a4a1bcce23c07e8491fa910b5 |
C:\Users\Admin\Music\Lock.SubmitComplete.wmf
| MD5 | 1e91c983ef561e87d3829fc9ed213b55 |
| SHA1 | 265c693d29956ac9707553dcbbe34fa8b3f6f41c |
| SHA256 | 5679e3bfeab5cd9d2df8ecc0fe7db8bb47b2bd9a2921d9140ea35235fc5f0c37 |
| SHA512 | b6a2c68be9d800794853be8b669bac3271f3b19743c3ebf321ee76767d81dfa256a116824b9181e8ed79f2a31cbafd49af48e7050f86fb4c34364f152533eeb9 |
C:\Users\Admin\Music\Lock.UseSave.mpv2
| MD5 | ec6d5b742abfdda78e238aa765e4c6a0 |
| SHA1 | 58c1ffb9a73b46f95f489b15d2e4f6d889c254bf |
| SHA256 | 3da1657aedd3a02d852903421b3e1d992159801eaea77efffa6f8746ddbaa552 |
| SHA512 | 8deb8bcd44a6a42d52ead117f6d60427f2443ff5b2472600882f633a8c970c4c638f0ec5c75684a3cabaa0601b6bf9df33e42fbef0f2e657a0ebaec0a4479b25 |
C:\Users\Admin\Pictures\Lock.CheckpointExport.dxf
| MD5 | 0f0e2dc6c864ff9c249f7b2fd01b5d05 |
| SHA1 | 8f4d3030d885d441fa728dbb9e266e49c57f8fc7 |
| SHA256 | 2ba9cdf9f101dc7cd11ebce84d61eb03246c0da045c9dceb6c2e489105452a8e |
| SHA512 | 5b13dccaf7393b1f286533208a0468da34e03bee08e6a4af192743941b03b04aa0bd9bf0d618c1d51269f1e329ee2aeecd32b4a2a829576a2c3a2d3bcbe15000 |
C:\Users\Admin\Pictures\Lock.DenyConvertTo.tiff
| MD5 | 7f4a73b8b8e8f80c0ac786f6a973ece7 |
| SHA1 | e55e9e4f8e52077b801c82c27aa54c433a636517 |
| SHA256 | 7b613b39dbb4f685955a1a3d60f7069125f9d50cc177701ea588488e38956a22 |
| SHA512 | a1ce5284f5059a7137a63f8272cb02389fd6d0a84cb82f20c63aea77827c1e9449f30c6204a24408e1c1ccf99ec7c1907c7ec4d41dce2e2a34693e05cb53edf4 |
C:\Users\Admin\Pictures\Lock.DebugHide.dib
| MD5 | c5e7138589ce54699c29de21e69ab781 |
| SHA1 | 3b4d951e2f92ecf092fa39d1615ef2cfd2c8d915 |
| SHA256 | 2cc6182a2328b3d65a16ce4425c4cacefcfaf4bcb398c06479f5183fdb5dd0e4 |
| SHA512 | 4e1f1108e70c6b54fbc3f0657c0328ad1bf9d78fa3b044b26152c7258d33ca9577cbb555eafee2fc6716b55658269e9645ae5cbefa65d22bed4dbeb4f8914c93 |
C:\Users\Admin\Music\Lock.WaitUnregister.rtf
| MD5 | e371d4e66cfed323c34d3de48e89876e |
| SHA1 | c4320df72cc46cfdc03db7548a7666322aafc851 |
| SHA256 | 2adba86e1d85950569faa0b5680c038b68c84f492630f5429825468ada0e0fd9 |
| SHA512 | b2d799d48e3be8d6a0294d9d9f884ac3fab98f08c86c824af83530df56f93f90a3f9b5bd813028471c43f8ef85fc608dab29ad6c24471066b05ed473d01076d5 |
C:\Users\Admin\Pictures\Lock.GroupSwitch.svgz
| MD5 | 1a98bce6b1dfdd56e3c12f31a8b0f764 |
| SHA1 | 31bdbce586ae20443b08ff33e0147d658af7317e |
| SHA256 | ede6412dca7893b2dbdb17d26c39ddd626401e632e2acd9844aa1d19b4cc0e6e |
| SHA512 | 183220f947a071f448169c6c5e76526f6d189e8e295e9ab1c9a4c59ae2cee1f6c515a3fda47ca75466d5fa028c50e17e3d9f3842b86fda55fc37673d43386c7e |
C:\Users\Admin\Pictures\Lock.FormatSend.svg
| MD5 | fb7554a8e649d2101e5cd6d87aa4b6ab |
| SHA1 | a31158fc6bc8e6a25f9d5ca8c5cabe385e320263 |
| SHA256 | dba95bb0472e5eaff3c56983b9fced8dc179cf9a57d6f4128dc72d8d97329e7d |
| SHA512 | 209095ea49097d116be4736853ac11d9b60feeba89c9050b81b27f14065c22f3c897eed4ed51d9ff2c5ae2761ad88de9765cf0bf3158f697e96b4fb281aff6f6 |
C:\Users\Admin\Pictures\Lock.ImportStep.gif
| MD5 | b3cac7b65e4e77fcc2d7f58c1adee71b |
| SHA1 | cbc729f883649e8b0d9744e75e3498150d3e0893 |
| SHA256 | 8d0a9f8600a1514359815715f2891c546f3b90686f9764a83c8460bc99cb5de0 |
| SHA512 | b95831276a6879d0f4f72150f05760a6f3770f3d8e8c81a4e451edbaffc494bd413c2255b971b1b6f1f324dc83be80803f85039c761176df9c6e79db6d0e0e70 |
C:\Users\Admin\Pictures\Lock.InstallUndo.jpg
| MD5 | c108ab58f18749e5ff1792e421f2307e |
| SHA1 | d8a06702eac850bf284ae75c9172403a852255e9 |
| SHA256 | 530d11fe1ef783b2addf0a65d76a033664304352b9ac7606cc657dab4c8b5fc2 |
| SHA512 | c325a726239b441b6eea09e87bb40f03aa8a01bacfb59de2db1bba393b670e445f8fc44ef5f5a685d5a7762d93d339ce07e278f787d2b6332879fa870e0a0f94 |
C:\Users\Admin\Pictures\Lock.NewRestart.pcx
| MD5 | 01dc54d761bacffc7f71e42a07fb74b2 |
| SHA1 | 4e110677d859737503d2b62610db2c25325526a7 |
| SHA256 | 4a05c6f7362c987a312f23dff9a1429c7b0c7637a2dcc8067f8a6327b65b3619 |
| SHA512 | 170ce652a7eed16d29e029048a29bccb04d05dbbb774b125b9dcf7dfd48f48c78b0a0527b0eab5df549b0a0822d4d7c7287432e7d078373b4b6a889006b73147 |
C:\Users\Admin\Pictures\Lock.OpenExport.bmp
| MD5 | 63db378ef5691008e7f0ff77ec5a4374 |
| SHA1 | 12c7bc7ef5723f1a50371de0bdc20ed53eef1b6d |
| SHA256 | 601d6a8c25023295925248a5982f7d166dd188ff37e82c445f4209d2f75c251a |
| SHA512 | 0b41d57e1762935a0c8a18dfcc31c3ae2406da613a95db44f8d1cb8b236fa8471abc3f97eec05f7f7ccfd36f2dbd1fd7c93b15b3149598e744a4425bb7f18132 |
C:\Users\Admin\Pictures\Lock.RenameResume.dxf
| MD5 | 66db7a1cc9137b0a2e3cf95185e469b1 |
| SHA1 | 819b6b801c17f4b68c2daac33fc7cb72426794e6 |
| SHA256 | e0b77e7e459bdd6ac3e4983193a6b83510784eec83ec8c57036a8fc227f8a818 |
| SHA512 | f3f1672c9288775ad96961bfd02355bef11604728baadc5e74e8aaa8234a273f205e5ace788d1a308a0d1cd596fd336a9900fbf6d4ceefdafdba6d3cceee14cd |
C:\Users\Admin\Pictures\Lock.ProtectRead.pcx
| MD5 | f4e7c810cfd95a2d4886196e7a8ddbef |
| SHA1 | b70b0e3a8eaa9362247da96c3f003e2c26415a42 |
| SHA256 | 25da1942da4ebfda3e9f056b3f266bc7bdf6204d25bdbfa88676b016ce01dab3 |
| SHA512 | 879e93cf31b397a4e9b17b69d6486cb7522df3ceb8760b5a4f2d7ba5dcd32d2b53b186c04a0affad07275b907c6275617b1f4514b6d11489b59cb236a647cadc |
C:\Users\Admin\Pictures\Lock.SubmitDisable.dib
| MD5 | 825cfea353311864100ca8076040a1ce |
| SHA1 | 161a28045a2b126b9adb877b7a053e4c0c4d1402 |
| SHA256 | c3d35c590b3ed8986500483614f76332f80900f01a8e149cdafb86cf5fad918f |
| SHA512 | b01ec5b024a44a9adf361c469709a661e4cc5364dc18c7b883db0d9fabc63896f807c24bfeda639a6a37b2fefe79308b17a0f1f6a5ffd392d3f6fe974994b611 |
C:\Users\Admin\Pictures\Lock.TraceSync.png
| MD5 | e51770b73c22c76ea51a988ab04d5948 |
| SHA1 | 56f2fb409015a8b37069a1c5e774267db7b0835f |
| SHA256 | 62bf0865003ce56a745cbf45d8ba50310ef5c65e5ed0c1378a652edc3701dedd |
| SHA512 | 8613c61bce68749721ec46a80c88c4a471465f8d6f56873c033febe78561481fb24d8db7d971365975ca6f0c37db986b261be106027b6678b1468131eabe9c71 |
C:\Users\Admin\Pictures\Lock.UninstallUnprotect.jpeg
| MD5 | e8a956642311b524fbfd3c117ec5de66 |
| SHA1 | 3f0b8189394abb0193820dc7f8112f358b295f83 |
| SHA256 | 89111681ec87429bb45941a302712f1cd3d9cfa49b85ccc06f0080b55a1f3a96 |
| SHA512 | 7b3643f2a67fd0bdabf5d6930428d36a43f4ef589a2c968c731486e4b3c6f34659e1504caeac9bc328c570711233b14a53fdd93a0ab68505ef85ad2e8a7e0864 |
C:\Users\Admin\Pictures\Lock.UpdateRestart.crw
| MD5 | 2720e9c59aabf570bc056392453291b9 |
| SHA1 | 5f50a53171d423277d9e8ca59f49fb59d6c10ff2 |
| SHA256 | 494e5c6913bc06ff06f6aeceae1dad855e0f04b5600a78581b7fa454f3f5cfba |
| SHA512 | 8303c9505c48282a9199a478e75e9b025742724c92990e15d07a1d403be92c148091be39e806252e08150fb52d4b2c23a68f036bb5e267dca9356ed21c0a9525 |
C:\Users\Admin\Pictures\Lock.WaitTest.png
| MD5 | 9f217e92a66127e03efe8bbd34d8f459 |
| SHA1 | d9be7f77eb3f2d644cd5e59a526c21e1466b37a5 |
| SHA256 | a00ffa9e44e492aac923589435605b08867d6879505fdff674e6eff7fc7b2be6 |
| SHA512 | 3adca829d0eafa4bc362772ceacf079c072ddafa94be1ef6a75c022b5504d811f99a5e13537f9b1d56da3aaf47864801d3ba96b7332754d3f129cd2000d8ef97 |
C:\Users\Admin\Pictures\Lock.UnprotectDisconnect.tif
| MD5 | 41443f4b22ece1644cb267408fa1ea78 |
| SHA1 | 0832b753dbec2a160c8023f5305276e540f3e06d |
| SHA256 | 23bde15fbd3962099365b5bb0e2cc62d4bcfcfa25512543ee28473f5a6d61e4c |
| SHA512 | 082e5a625f9bddfaeeb21b2ebb583e53d517d016d630a96b3ab786360332cb51b9b7eeeb2a84756d4b566eb6e5ebf61868b74b6c65fa007824b5f2df6e453204 |
C:\Users\Admin\Pictures\Lock.SwitchWrite.jpeg
| MD5 | 40f31a5d05de963ffe25d928382a3b25 |
| SHA1 | f407ff2bf10a6aba7568058198a0dadeef48d132 |
| SHA256 | b173172cdb720529b761a8ede8f253c6afd5fe2dd838c236c4c25a3eb27b9d11 |
| SHA512 | ff2eecb7252bfd4b2186facd9ab92b3eb06800500b745a66acd16024f90ac8b2f2e4f573730d74bc79856a30e67d80d931cf21ba5eae8eb1cf4598e8ec775df2 |
C:\Users\Admin\Pictures\Lock.My Wallpaper.jpg
| MD5 | 1b7ca3a5440ca77da9aba7b158022c3a |
| SHA1 | 62d6d1ac8c57ef5c44b3cca15d63bf4868e2eaf0 |
| SHA256 | c415a2920a393458b1f36fec018094747e4352dab5c60a0083d6b325eea53640 |
| SHA512 | f40b728afc1662163e3f248cce074a199f4ded69f911982ab71cc20a5e3be0eef56fd6f7cfb144307d5833b283063f58794cc9d9d21295c5457e6c6d8e68e6b2 |
C:\Users\Admin\Pictures\Lock.MergeRemove.jpeg
| MD5 | e06b2e7ec8cb9e94336e356074af7b78 |
| SHA1 | d3a0cd8bbe45d508196d364d16c2f00350da0404 |
| SHA256 | aa1fc0dfeedbc5ae3c28ac124f7e7cc29630965f5df1da37fb294f888f88e870 |
| SHA512 | ac9515ec73dab9d4e695c83abd69cdb5468ad781dd782cbe41a6dda418fa96de121a547d16f59c20dcc877f0a804918ee0f8310a6ff034e72129ac113bdb2b9c |
C:\Users\Admin\Pictures\Lock.InvokeReceive.png
| MD5 | c089cd2f24da3c201b1141da2eb5961b |
| SHA1 | 97718822cea7a7a889c54d794265f63889aeab6d |
| SHA256 | e8f1129d8fd943ac5a547d5418fa6d5e22486a556d981c84e8ef8a436c426b89 |
| SHA512 | 0a61229fc14685f6bc7542b3d50304149600cd4124d92e26e005c248d3314865dc309d3b0ffa9bd84a1be2d151bded776cd2dba71308608d9a25b5b6083386ca |
C:\Users\Admin\Pictures\Lock.GroupWatch.pcx
| MD5 | 62d1e273292b740f90eb8d602055552d |
| SHA1 | 56be959b70a6e97ff37e96a8304178d0612fe552 |
| SHA256 | d8823df9a0f7f738294032d3886c977e8ba2df7c02933e9e3bc7974992f9eacd |
| SHA512 | d492d583a58c1b5987bd0b775824afad19e85ddeb90221ed2b6a4fd79c4b86b55d847f705b9848b9f54426b374d4b1659e9ca992861c8f1c67e245173eb1ec4f |
C:\Users\Admin\Pictures\Lock.FindProtect.tif
| MD5 | 42a3e6336f95a994f1291afdd61da731 |
| SHA1 | f344ef09048fbd00b80c02142761ecb286b08195 |
| SHA256 | 492d9ad266efeb68f28a5ce7208852a3fd08f551ab2243169128aae0c24b3625 |
| SHA512 | 7ff4ddcf969b413da3f06f907c1451284b0e8e9077b84f6fecb69d1afbf11e557343e580fcdc69ffe617ec33f6214dcbdcc81e1dfd485f9ec7ee4c1fb17731a5 |
C:\Users\Admin\Pictures\Lock.DisconnectAssert.tiff
| MD5 | 4176f03c5422b607fcb8bc65bde57d79 |
| SHA1 | 55a18634e6993f98111204e290b0feaec1cb640a |
| SHA256 | 4bcc3dabe723f053c2b1bf75ac164023fb0cb38016b26601dbd38a4ced7f0345 |
| SHA512 | 8089920ced1f5c69eee9856ed11c399610e6483e2c61b91dfb93a86b7dbe7af540b42d965b069fccbd06c1e5f79e2e4dda1f353d89dc3d605c7b3a0197b06ffe |
C:\Users\Admin\Pictures\Lock.desktop.ini
| MD5 | 82d46e91be16a17eb99f24cac1768f01 |
| SHA1 | d1cd482829c5e89d764a36af5db3b23535b0d8f0 |
| SHA256 | cb4e93277081095bdbd95f8bd745a80700689bc25483259ae9d970a2c72f076e |
| SHA512 | a403d5ad7040fa10b999566ca1d417361d4e833ed2d91beb993c5d8f11ee4bb5263861075b484dfc999cc58354b1b0c071405fb993819431e0df6893e01589c5 |
C:\Users\Admin\Music\Lock.TraceDebug.ogg
| MD5 | a46c29c847b9a8fd734d0e5be13939e9 |
| SHA1 | 1ccafda04fefc719ebf8805bc74ebc9943c386cf |
| SHA256 | e423d06ff02aaa9242c9ef064ed41d7e86a58eb0085c3efa545b108e9f6e8a33 |
| SHA512 | 4f1e33145d0767fb65b7f7a19da2cafb700c15319354f9c30c943a09da1883a4913e1c8fc4734315842f1de07d5694dfb44e6dfcac36b1ae5b9a1ddf924fe40b |
C:\Users\Admin\Music\Lock.ProtectWatch.bmp
| MD5 | 1bf6d374ac487ae79530b7c9823eb2c1 |
| SHA1 | 70547affb6e16ae9da40a81fb09919a0f25cd047 |
| SHA256 | 82a9bc9193914f244878b5a09b10d1f4a4ea30af3d8c41dc8620e545b5e718e4 |
| SHA512 | e46b1463b46256ce415068b8362da7a2267158b449d3a9928fab8dd7226d201178bfa4f256a6257008c3f0ef8383a41bb6f3b5349bb595a71721f8cc222ff9f7 |
C:\Users\Admin\Music\Lock.InitializeDisconnect.vstm
| MD5 | 6fe6a8d3965adc7ce690c5f175dd59e0 |
| SHA1 | f37f1b47e1694b7b33213bb8c9f223650913f6f4 |
| SHA256 | 03f96d5f7d70289f2960930cd26fe6fcc3d5484e08556f582c40e5a1de9e2bcf |
| SHA512 | d9560ea2a45d391d2b20a4dc9fbd54ea46ab2a40145f8e59ab26b34eb5d97c7baeb0cd057eff89d06349445ab9ba815c5c112dc488a4ce71b211aa12abec427f |
C:\Users\Admin\Music\Lock.desktop.ini
| MD5 | 3e5d2582a5d0c915afef6c8cafa343d1 |
| SHA1 | 7062928a2ec000838f78dce8c48693a1859471e1 |
| SHA256 | 34ae08d15c34e017facda7c39f7b5f9e8cc891b160072b908969a1a2523772aa |
| SHA512 | 2cb2f561be74448d361099883ea4fdb9a1ea17a82970459fff7e35802617726561b52955b147d5fb23d3a3bb3d88539af645886c2d0e46716fba5c641a2b90b7 |
C:\Users\Admin\Music\Lock.CopyRequest.TTS
| MD5 | 1e6f1502f6f316a0089f1afea42c5e11 |
| SHA1 | 6e905bd5e1b2776a532a5ed9a104042a608bd303 |
| SHA256 | e9a641985c6bff968da64e2dfa44fafd6777d5c9dcf654515151e0ab206d0b4a |
| SHA512 | 8a036f9ff4d6c1205655bbc27f8bd61ac653070cb3c2b96439445b26b03d7f77e7271ff20c4061737236b30be77026a637ad1001c7bfd31e9361cb0c0bae0ab3 |
C:\Users\Admin\Desktop\Lock.SubmitSelect.ex_
| MD5 | 144730898b5536c7b0bb9e048f77ecdc |
| SHA1 | 03f63c3af37985da98253a7b40883926b9f0b04f |
| SHA256 | 8b526a9f0c224182380ff9ec9f324bb7d6537248961949efdaf039c394b945b7 |
| SHA512 | 5e0f4b1741b12e9df86b311e2c1d5479851342abce4469ad5cbda55c5155623eb2d202019d822159d4a7b9ee8e692f2c33e45775e14ebc61e338d44cb8e807e9 |
C:\Users\Admin\AppData\Local\Temp\14fdb863fe4444678c7b957e43504474.exe
| MD5 | dd15af9b32ea193e0c82887e4601f2a7 |
| SHA1 | bab37b838bc1d858906f1ddc66c5d1168320d192 |
| SHA256 | 7189f55b3d5153bd190991dc5e3349755e300fd20b0e52a34e57579e20308888 |
| SHA512 | f51542a4f6ae0d92cfe18afe4ff64c4961e04e24f2fa88da1adcaeebae28928c63e3d33e975fd413608fd3d03c5111340dbd8c4ff6a721e72154f5b7c5a54688 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d4c957a0a66b47d997435ead0940becf |
| SHA1 | 1aed2765dd971764b96455003851f8965e3ae07d |
| SHA256 | 53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163 |
| SHA512 | 19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 343e73b39eb89ceab25618efc0cd8c8c |
| SHA1 | 6a5c7dcfd4cd4088793de6a3966aa914a07faf4c |
| SHA256 | 6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223 |
| SHA512 | 54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e0d65f3ed65d94a4e42453fd53591983 |
| SHA1 | c982e5e2ed4a9962dd962069e83ba06344a03289 |
| SHA256 | 92a43f1875f99920a6a1a7b42e27dff46713feebdeec737ae4bbec1497bd8547 |
| SHA512 | f68106700fb6dd1bd7156ee90bd68cca841281d21e6434c10862a921d03249474866609305c34b455b7cc4de4058cf007b5394901b667eb83db65bcabd434941 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 20b13bde8196595c4daa8c273922a9c8 |
| SHA1 | f00806eef769a0b5172797758e1fcd9779efa09c |
| SHA256 | 746ac70fb00bc228862ac8337983b570c77a11060ed4ca632331ecdc3e0aa9b6 |
| SHA512 | 87394535fb4aa9b15e9b283b92a5ce695fd72c9169dc0fe2dbd970d880fac11e7b9e2f437ae598a7ff11a86f8b15332cb5b5c9a77000748e9619e5c58a6fd524 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe6090ab.TMP
| MD5 | 3d9ce96fa073c21716fc39818e029d60 |
| SHA1 | 9a2faa681910d5caea681b73ab33e8e8c6b5b828 |
| SHA256 | 13369da4514ae936859c22081732afd4c0a404e45c58212f81e5cfc3009290d3 |
| SHA512 | da47a39d074ba83ca2dd689d18a8d2ab2b5e4689a0dbb85508afcd169f1716f0139ced7aec6943cfa0f981507541b05c5ab9a8e9ca6b0dbf5bb5fe4d148e26e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 5ac5e879daf311da068f1f12f7e8ac02 |
| SHA1 | 54e9c695a72eb75d47e39409e6b12b25091d46b6 |
| SHA256 | 5e5e15bcb4e81e20d0b1c9f28471bf6ff087e078fea1df0f253341515d72c7fb |
| SHA512 | 2d22168a5d388c8457ed346e611c6569fd34dbd6ec8343704fcda8882d0507a6da2074e058c4179ca9de2af6f5a1fbdcbe76786084ede32af065b5b31fcd1fee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 36dc2f1972327245f7fc4ff16ea03ef2 |
| SHA1 | 97fc1741b65d725c8a43f9d57bf57fa8d55d297e |
| SHA256 | 41a02b538d31d4d03897c54d17f0623e6d00493eeca92bbf3b68089bf63b04a3 |
| SHA512 | 6b41cb3cb6744b93b164f952595d442665f1b4ff303fcc884717f8a02385689bd7e09ffa742d51b006b568b49a2123972b0b07360e045dd82cb330ab6fad091b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2dd43321fb553783be010f3d92eef1c5 |
| SHA1 | e49b37e0f897d47d7d1974b836ffb56216005267 |
| SHA256 | 78bf100c1c7e4c165b0c4b8a45e79955a466ce9a42920de745ddb000ba0e0cfc |
| SHA512 | 7da729d0b8b8b795ff9aa0b21b4988a8f7a1b600f52e0ebe11ad77a52e6c6f1fafd66cf730ef70de0fd1b692ddb6798cdaf0d0c6593cf57c9cb88a9f2e7ddfb5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 41ef8dcb7b8a4d1d49e1a4a190d5bae0 |
| SHA1 | f67caeb8ba970cde0543fac7dde0753466289da1 |
| SHA256 | 742820aee2f229a872d99e787273a4e922ad770b9693a152cbd9ec293ea36207 |
| SHA512 | fbe3cf0c994d12cdb159a385bd8560b30c5c43ca06fbcdfdc8f2b204620dcbd7c6dfdf27d68393d7109df434b57d1f3f34bf5312aea77464d077c0ef0f71109c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe60df96.TMP
| MD5 | 7d911b7826da476a75982742da6ae581 |
| SHA1 | e4b65dff5c13baa82e6e388369bd503dcec1f9fe |
| SHA256 | a9c341bd3bd276924d54712ff8e5e6275fb5ab80e850f402499cfb0233546b86 |
| SHA512 | 38d176e7df73f9f10dc68b92191df1092dd2c6098a3b6ce83afe651af792f79ba726e56986bacffdf1be497bae96db53fafa449fcd0b3e254a190b75920711f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1cd3f2032aeae03060fb7720310509da |
| SHA1 | e3eab5a1e13ef44074d890d28a59b41af74e0a6e |
| SHA256 | 8836b960bb0555c17b5c59de4c7863e4921611b7c51513b98041c2451cada871 |
| SHA512 | 489a6ffab3cc5749a8ab48a755e2203feb834f9140e4610f244b48885d0c3688a0ceb440c9918ad42baa72133ee15d3b3d4d8bb57ae6c01088f61d10c59c7678 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\235b360a-ec4b-4ddf-a580-4b51ecb43d33\index-dir\the-real-index~RFe60e5c0.TMP
| MD5 | b84a6dab6c5809ebeec4ca2b63576c42 |
| SHA1 | 6761b5ff982d02bee43da80c17ae083c0f92922d |
| SHA256 | bfcf6cd4e757b46ed6655e60065b70aba12d3c7440dcf78d1477f6bf74bd1d70 |
| SHA512 | b04d48bedd4b6b270bf6fd4b95cb493833f30653a099ef81c3adf766a6e127dccb481647e73e8e517f8b244442c49e9ecc9d40530f4174765fa21a340abee9b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\235b360a-ec4b-4ddf-a580-4b51ecb43d33\index-dir\the-real-index
| MD5 | a19d5571b4682353eafe2879023258b1 |
| SHA1 | bcd0930d6332286d117e9545b5d40a5fbac6cad1 |
| SHA256 | af95a2d4cb695ca80548f7bc6a0fd1410a2f60f38461fa621b4b2ad7678c5e98 |
| SHA512 | b8179fb18d3c586e78e0c66434dd8e89f85c4e47620a979b428d36746c684ea9b8486240953651dca8d0d507b7d388c53f130fe34d380f5a1293bbfcab2d6e55 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 8b69bea97f2f56cad86b243fa9a84b38 |
| SHA1 | adfb6bc33b41439b2d88d0cdb47d45f27d680f24 |
| SHA256 | ecebfbfbb96b9fcb810bd89ad47464078a9eaf09c49bdc03ae4270f0183eb09d |
| SHA512 | 479789a7d2b2076653932445dff1e4289fa55ceb7207bc1a9151898c92f7d65b401338433c01040b03b7deed18f904a9c3365ec43f11600a9e88ce2e07deabf4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a9f484bcf45d89ae043805a179bc8177 |
| SHA1 | bf5c977c8ef16f5014e4df7e602956d8f83d80c5 |
| SHA256 | 77acc6439f430946885e77917f96d85596e205e0e761e918c479dd12714f19cb |
| SHA512 | b59b11ec782b3a0a7fb6af737f3d6dbe50c5845d9c238a466bccf673ba7ea50c26dd0279261e4e99173ab66f388ff6dc367a8cc55796b5573a4cc995aca06b78 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 87c054e5d4068438aeac6aba4e20ede1 |
| SHA1 | 7c8dd1433f81b525091a2f1d35eb8d3f99e423d0 |
| SHA256 | 25f0b0d3e54c289f2f5e39ae1a77aa22c9a9058674e15bfb31f091f7b72f497d |
| SHA512 | 6e52f217b395404e32394d3b082e215c039ec5516283669282cc7881d3404264b26bd4c2429c4383383dfb0f553dc85f5fe01de78b1276cb853b3bae3dbc54cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 871d7cc1d1f6eb4e8f9a3860f8d5d2e2 |
| SHA1 | d787eeded82a0d6d1ce805e968ca78e06d42b8b1 |
| SHA256 | a062c4fdae4bf2c6da41c40e0f9219073434d08ca0dcb3e10b17bc4f876e3eee |
| SHA512 | 07ce0ec1d9d39b71cc2320c535e813e5726774f34530d243d69f5500bf6a199af4073d7902c5d270baf58ba4d5777779cd153fbcad558f8ca5be0fb3ee340ff6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 90a027910889f38c7b2215bd4dc1d74a |
| SHA1 | 62553885eea7d320d875f16b7a459f04ce8a7af1 |
| SHA256 | 57ed6ddde35d6c6b3f63f781f0def4862df4d21c6727c9f01ad7bc3b50233e36 |
| SHA512 | 12a6f41e9e2fd2b944e94909f7f4f3abd79809039ba13d3b19a65788b92a4bd490e1aef8a1c3d8331852252e5b29e2dfbdb5c72a601aa73b37449d56121d5dae |