Malware Analysis Report

2024-08-06 19:29

Sample ID 240513-pz95jafh29
Target https://youtube.com
Tags
darkcomet modiloader hack1 aspackv2 evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://youtube.com was found to be: Known bad.

Malicious Activity Summary

darkcomet modiloader hack1 aspackv2 evasion persistence rat trojan upx

Darkcomet

Modifies WinLogon for persistence

ModiLoader, DBatLoader

ModiLoader Second Stage

Sets file to hidden

Checks computer location settings

UPX packed file

Executes dropped EXE

ASPack v2.12-2.42

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Views/modifies file attributes

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-13 12:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 12:47

Reported

2024-05-13 13:11

Platform

win10v2004-20240426-en

Max time kernel

816s

Max time network

790s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtube.com

Signatures

Darkcomet

trojan rat darkcomet

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype" C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
N/A N/A C:\Users\Admin\Desktop\123.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype" C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\123.exe = "C:\\Users\\Admin\\Desktop\\123.exe" C:\Users\Admin\Desktop\123.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "4" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A
Token: 36 N/A C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1192 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe6c446f8,0x7ffbe6c44708,0x7ffbe6c44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5392 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x460 0x40c

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,18290902352239813889,1901166733865398075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11708:108:7zEvent17313

C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe

"C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\WinLocker-Builder--master" +s +h

C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE

"C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\Desktop\WinLocker-Builder--master" +s +h

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\123.exe

"C:\Users\Admin\Desktop\123.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 youtube.com udp
FR 216.58.214.174:443 youtube.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 142.250.178.142:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
FR 172.217.20.214:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 138.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 142.250.178.132:443 www.google.com tcp
US 8.8.8.8:53 132.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 142.250.74.234:443 jnn-pa.googleapis.com tcp
FR 142.250.74.234:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 67.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.179.78:443 play.google.com tcp
FR 142.250.179.78:443 play.google.com tcp
FR 142.250.179.78:443 play.google.com udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.193:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 193.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
FR 216.58.214.174:443 www.youtube.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FR 142.250.178.142:443 www.youtube.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FR 142.250.179.78:443 play.google.com udp
FR 142.250.179.78:443 play.google.com udp
US 8.8.8.8:53 www.youtube.com udp
FR 142.250.178.142:443 www.youtube.com udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
FR 142.250.178.142:443 www.youtube.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.22:443 collector.github.com tcp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b2a1398f937474c51a48b347387ee36a
SHA1 922a8567f09e68a04233e84e5919043034635949
SHA256 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA512 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

\??\pipe\LOCAL\crashpad_1192_JRJOOSXMSFKFUCUM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1ac52e2503cc26baee4322f02f5b8d9c
SHA1 38e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256 f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA512 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 015ff3064d2dcce5d4279e1eb8381583
SHA1 0285b4f58dfc0983b880350ad7939086b662e130
SHA256 6c951e165f8a85cd21d6e9faeead8f163fea466b4facdae2ad63fd82c697b3a0
SHA512 158fa1479c9e44e335957b249598018148cafffd167bc6c155a9121dc525a7403d71e2faecc0cfbb9cf7d39a657ef529b450642ef642fe2576f94857518d7416

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 040d8b2b1473db1beb32698636957ad0
SHA1 3d1306871640779220dbbb8798f0a46239008209
SHA256 a639f8cc43ad59b23601da5caf070243bba45ac2d7f2fa65a38055c3c62de2a4
SHA512 b7645d47655740f15005760802ec29b61f2ef50cf1347a24e7152f907786c3b27e4f2aee6694a266a4a7f8cb8ea55e731e2d00b5c5d8617f53d308f8af5108a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 0171e6683982eb368a71df662f81b049
SHA1 1e2e99020287a54b8836cbf119d353ddfb8c70fd
SHA256 ef0b26ee7f572e7abc83ccc248c0f36deee9e7e8f12ebd7ec21adb5e36496795
SHA512 6d7442ccf8e07f085a54032a8f6efb8c5eb8dbff87b194b1ef40e26b7bbd072198582acbfb921db5f95f75a68196e730f1349e30a11a0aac82b9a24c91ed8219

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2773a51818206834bbab2c5e86054ad6
SHA1 2fc2dfdd68863aee9675910a319cdfe35d34e8ec
SHA256 91e2a6d637f41c778ba15a54b6609bfb4d8d5f9d57827936b8b35ff1a973d34c
SHA512 58660809890d85d66bc93b360395accae501f1fe538100176c85cb657aeac79c1939f1610e0d1d1bdb47ae1146c79ff8c02a2d7070f6e53b66555518382b003e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a974cb15785121dafa4cb37e23fd7635
SHA1 54977ca21cec0e5121db7fd9065be355da0b764c
SHA256 1cfec81f5ed3dded202a67ede352709fa9d4712f30e1c069b35c7aed06763aa2
SHA512 eb1725689717b0a59e6279833ac9b9a79f1513cfbc2da096d6d8a41f9f8931f9d290e566761250bba9a5ed21ff4c34d1bb6c4dd1df60a724a93cb65640a23737

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0cac8673c5328a34178883f25444d6ec
SHA1 0660b273b09db3fb296545e37cfca11c3a161998
SHA256 91ed97686c159813606aca74ba1300a17e4413c6a86537c9db9b042d4badd0f3
SHA512 3a9b7a7f8db2ef2ecd78bd6090d9c763ca7a61a36d2f8b0049938f99fd6bfb0369c417c928ae1801c012ee0d8060af0c17d8b38c90fbcd3ba1d38aaa79041c34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d2f0.TMP

MD5 9c4b550b87df5313198bc68da415af0b
SHA1 95695da66841c12c2637d91e5313abbf9d6d43c1
SHA256 141fc57ae775cdb8e66f51d2ad915bde60e27832a9b5bb36368a06914e70e82f
SHA512 f003628c0828a7c52cb484245ffd9cdbd8807132179a0a6dba31b835a7213be1132b6ec097fb5fc66da22296c1f409a6367ba38952192a82c904ab9d360f3aa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 fb97819f4fd5c005477f2ded4fc103ac
SHA1 b4f24680862ad22053753c2af2105957db5e56dd
SHA256 34f200274c0bb453bbfca62b170708274ab05e7cb12213adebd0b13fe49c0a7f
SHA512 4ad75fcfb5be08ad7fc55a4688f2543a0813b1b5c928ac4272fa32d5bc68729c02d581d9d02594881edacf0261842934f0e770439dc684422a21078b54b68558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\22cceed8-494d-414d-83c5-44c6b0031543\index-dir\the-real-index~RFe57d87e.TMP

MD5 06836a334b015b23e2fdfc0b28818689
SHA1 46a759c21f53c1ed83721405ed11ad632318d610
SHA256 ef08328c31ce17af0d98f5c9c28dcc3b2649875fd717c90e08106d7b74283fa9
SHA512 d454ddaf8f58e177ca5a17d92c69a567067bbf3c9e0ff1992d8b8d1dcc3b14da8acf9e874a080593f8caa37ab7558074b44e459c2421fc6d5c523209fa1ac876

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\22cceed8-494d-414d-83c5-44c6b0031543\index-dir\the-real-index

MD5 2998b32564bc29542a0c48ff06a0f86c
SHA1 1382a23a1d328228d99f53f3eef517e4cc57288e
SHA256 9b7ca85a85d133f270c74dae3a792b1c531455da57aa9548d94f870867d8843b
SHA512 46ad05b11866072dbf069af7f530a9be2681786b361bbd01e03802202389c29e8fc36bfc81d52f0c5cee6ab71a96be153008dd3936c0b1b41152b8870cdb7cfc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 856309a57516c7cce219af01e18198d9
SHA1 4f0fb00bf588d9860ee2c9b617a3550724687017
SHA256 9fb26a9c6ec327c52a62ff7546e8190504faca61ab0d3a65c15f44601ab86b49
SHA512 e5cc64fd7bf1209f7cdde49a9652a59cd619881ba7aaac580b6e7925622e7d245039a5823a5659fb92cd4f297826a9a38d9b4daed81f7338be552678c90a19b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ca8d6d038421a999d7d13c90fef7766b
SHA1 3f827143fd3e2f34d145c2fb2b64252d8834da9e
SHA256 68fb23ae2dc21c6880717a292275b165ffab8b0a53cd81f8b4403d7220fc6b48
SHA512 f3bc46c89fcb43b64bb98f11510246207d0e7e634f7608e0b999cfc979c8824f4e23e1d5ac9c89ca8f89be1eece67788291933e362f71c05ea992583be7c8de4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 95947f80cdc18d0ad3205fa5d72baae8
SHA1 ecb9649fea172158a4f26eb5299cc1645ff5e8ee
SHA256 f71a0cd5eac00e459200fd2a5a82529fef401eeeecb4296eeeb881e810ba74bf
SHA512 b77854c508a8ec8ac6e51cb448e7c23f7dd3cb9bb8653ae95444033e4eeb2d4334526ad4e0e3b74e956ad8549be8327de3a9d0a76aed52c01281bec754816c3d

memory/3332-317-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-318-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-319-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-329-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-328-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-327-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-326-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-325-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-324-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

memory/3332-323-0x000001BEC0D80000-0x000001BEC0D81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a68153093186eb58b4db7abf520c9d06
SHA1 0987f71d57374fa1a5ffc7c35d2763cc839d6092
SHA256 b849834ebc38b93c0b85ce9382d46facb188923344ff9346f24434da287e58c9
SHA512 432a8ec90e5783131938ab4d6850c2c6bc5b9740b3d7682cd6f6ef7d991369d1adb24b4677b468ccc52c40a2729733e19082c3248cd81b16295b42b33c40b310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9259d2982fc420346fe6ab52bc9e68b1
SHA1 9b52e060397c4ac3b735e99ea053acd9f145bcd9
SHA256 0f2e7b093af0db1f48c06da04c1a8314c52105a825dafa8d7569898a1697319d
SHA512 b6ec3537b5ad078c740a6c528013e19f21f1747cc0177f9230fb63b3d2fc788968279de5686576a08f9fc550e724604ee464f458872edb495ecf7b9738bcc36c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 aaeceee2fe07ad5e9d0fabf6fdfbcb4d
SHA1 13bf83253baf10c6f00503d77d999e2ba6e0f298
SHA256 bfccd4d152ef37e597ccf5542ed6794d4836705a766980e8d25519bceeee782b
SHA512 f98dc902a0228d8a2a7c5336b5857b381d05b72751afff079369665e3542833b9a9b1d3d2576ce5e196cf43eebaf5ae2c096e0fda2603414fcef6a237ef610b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a466fce4375e50c05d3f17c38a82d1de
SHA1 2d6f0d29706260e67f7bf4795b19d8fce005b495
SHA256 401adfd6e7c004ff4fb4bc11d558760f166005d00a48da6a2f2ba830cb4a3df1
SHA512 d0d20c5e0b99000ddd4e42d354123cba61dd13bcf42fd1b9885a863b7b8dbbd814ca422a0a50e84a3b3ab5794e7058813673a272a918a6ee58206c2fe2f6e988

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1538bb1b3badd83c52b7a36dc9644303
SHA1 d374185ad6a1cadd38cc1ce410d67eacccec87f0
SHA256 ad7f7dc74ae2d2df16efae7287214914b5ac9b28b13b1107909c181bdc808c83
SHA512 ffc4f9d8599f7314357c03a2d90211b22573adebdd993ef6a20a5ab55b2fa153606b86470612c5cfcb67c51d0ada55098f6f37d93a98988c66655977f8f63f74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d4f2c.TMP

MD5 aa8f1661426ee890723ff637854a7010
SHA1 7b45a01542f70c2b81881b1eaded35ee26fccb36
SHA256 a852924099723554d7cd5318fdb7e6b0ddd69b4991dcfa5d92fa315d5acf417c
SHA512 26ebaac2fb025f588861a8e2f1feefa1dcd078d0896c216d87bba9ae700fcc11db11e5dfa1fb15494f924909bac3f2cabfc8419d9d09419511e30f022c220b1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 7f547a3042d1eaf6362251376a6a5ace
SHA1 c0361dc9bfb06b50e8c8b8e7dea062cfc96befcb
SHA256 20657ac51b1c8491503c471702bbad669e16e276a6be3510da5e6b8e46a17f04
SHA512 f0bbebf8c0530ee89eab3275bde8622dbe05d78b0143386ccb1532934af3ebb0a86583774329cdab5b9656540e6e955926b3bc98a49ca97f265bcd3ed0633e21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9337fd306a6b17ce0bdaba63f2c5de9e
SHA1 f051b378b15de5d3966d1c1f47f850ef7d2a4170
SHA256 f243c7b9f30a19af490c43c84eb20b961f99fae15578fb87daa7e13cac0e3639
SHA512 8a1cff189ffc6cdf6a4534ff0bc2251877c58a82cf4b8079e8f922624354ca3ea3ff7da9428c686cddab430fc3f63d51e41c0e6d64b6c71c92d8cb9fdedd6844

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a9bc0c078f724eab89062d63359c24dd
SHA1 b52fe9dd1fc67f9e07d3486a9004a27b4964c3d6
SHA256 8557c9ac60725dab323f89c64a6a39fca1d1324a597479c3ebc3b9c4c5918517
SHA512 77c611e14125c7f9b0510ddc98ce8deba975be7e78f6811a2584f032bb37afa5a4886e785b4030dbb46f1c9e3f5a3ebf098165b53156e3ebdbcca08d0855a436

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ee4d57e598d1b010d71b412a3d95fb56
SHA1 2e19b4980c53065dc10d84e72864be165ec7b334
SHA256 4dc6099e7118651d164a3992cc3e03f74075808e5e1b74b55a6e70cc2e8e13e0
SHA512 fb784fa7c205cb6987a0f74f5f6efa06f9db7134929f0b7cee2cf1c6a0eff095703d67462993d19a845561a58895f05f70fa4e3865c3ded17c411b020ce86826

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5179df42be430d75fd81ac7492447cca
SHA1 cd73d7c439cb74a63fcdec8163e033e9534e2fba
SHA256 e0bb3ceb2e9f0cc41193a260b143f7fda753e0b8a9ccc0aea81726665af9d47e
SHA512 943e158f5fb8ac38246b83f37ec55c4e0962ee55b05c409e81d9be1339826092c24558fb5094e0067762805183be56368b2e001bf1b7525ca673b3ff5141df4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c37c834de3f99b7c63fe55eea086fc43
SHA1 f724d3a109a7013471dae7cc906732616e771d7c
SHA256 69f99b0e29a24a5935a73ea2a5afd5fa083270fe122cbc42f53a7f1114fa355c
SHA512 9b36bf58db3fc98ab156a1749f5d00a0b7f776c4c3d8bd6484247042505ec94a065ee8cd3f6e947f00b503a3032a067ee9ae9ca4a4b0d290a514f58a54ffbf34

C:\Users\Admin\Downloads\WinLockerBuilder-v1.4-main.zip

MD5 4c6097c187916fff55befee86074f80d
SHA1 76defaa4d14503581e849a3ac50e627f79b52130
SHA256 061d30c16aba6550a5cc2a5e4778e9dc88fc35a403b5a4357982bbe9967f0789
SHA512 4c478257d44ea10f9378cb1cc4aacef0836cc6cdd9005b012f8b131095494b9629630eb53c48f4b9a82a8d8f4f453075bb41b059ee216f6f4b249fb983ba2999

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 be5fb024cdbca00eae4722282857ec18
SHA1 58d28748a448e6d3e72ceb157acbe87aa33542d5
SHA256 992819ab04890c8be0d430d28baa70e9fb29a686e926b95418f2d393eddbb3ef
SHA512 cf2fa131bf515357149723e34d5f52f064d067cfaff492b9e9493e48f235d3efc9e1e3c876ba20b705abd96932e5e23ec2ad1623326f05ef09de9d775d7cff1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 387c59768259b42c537a3fd20c6a8019
SHA1 b0fe07a7e64a39eab8d79a6bf0ac1610e6c110d0
SHA256 3f8ba0966ab269cc1f1a7725febe942f4ee9b524cebb9a0527238d8f4b689909
SHA512 f056ff60e2d65979c02f8e26cdbe381443fad5fe3944c25d45fc572eb1e463531d9ffc5666cbfc04bc02ca04496dc6a749256141983a0e87ca424f8ad8440625

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6d57650e65a3327e257fbb1a3a3539f3
SHA1 5bec61174385620b2daf78e2d71f313e7558c9c6
SHA256 fea6e6853f8dfff89f13dae5e89eac2984d25a09d0a4ddb4af68827c8ff93885
SHA512 3d13f79ae8a5e1aee690b3277fe46e8b10de29b69e032c7304669937fecc82e7511cc0a762915562f7d16a2d21a25044ac5a5348494c7babd6de0ebb476f8841

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b09ae3c168097c7dee0372f26f427b2
SHA1 e82d573565b3d3b034781f031a6995fa77bf3c61
SHA256 821e75d50327cb70b459438cfd8405eec514245e7e180fe714ab523f90d440d9
SHA512 ed168ae9d0bf4d8d4446c70b87fb314ee9f33b331f046380d85542142d68df85d0cab811c4b9f83c20a091a70a5db0b213654e1bd1d1bfd53e00ab2703c94b5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 411e8931d390f40eb802fa04650ce9f6
SHA1 5092c0a72c531f69b1ab7c6dc4b4f09d1a9f3ad1
SHA256 a3542804c02bd04c32ad00cac8a6ed61441d085c4821a58f3ddde772e9ab7ef8
SHA512 7f98b17cc2e78e4bfe2fc696d2eaae47c96f796a4cb9ef8d19837bfff65075b025043773d3547f1779412aa12564ff3027aaeadb3377d2110046498a59e26b90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5fa081d9a4800cbc33b1d0689b5758ab
SHA1 8610e53aebb5a20573b7ea92eb2d1feaadf09c10
SHA256 40cc810aa31f56d49e1e698e216d6f4392672434efb0c574688dde8081363a90
SHA512 f5a76882ea1842d49e7062c66451db57b26b4790975388a276de4e2a53ffe1dd555942b76e48ec219e350516f4e599c2023751a8e5d34f8bec9fc160e90b6292

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 defa2d7cb34f65f0f0a0df22cce90e4e
SHA1 086b7deccf55781b11b58a144a5002aa4ef559c4
SHA256 3c99d454ccd1a2869317db2b99a4a8b199b32897b690c0c07b38b16edb270e1f
SHA512 e69a439f8267251e086443eedca19bd3515f759fd43cdfd49fc4d4c83ad1f94102413de2307eab66de57b38c96e425ada9ab016b4990a3c9c3897a3b095dfc95

C:\Users\Admin\Desktop\WinLocker-Builder--master\WinLockerBuilder v1.4.exe

MD5 3ecdaf2b83adcf4a81b71581d4b4b579
SHA1 36c08e0a7ee29249229c53c222a4ead1736d02e9
SHA256 53ddd00dcf6a8034f9a84ed478dfe3a9a6c55636cebadb392fd3b314dea6d092
SHA512 ce994c3bce800fc3a12fa929879ebfb513985f38512a5d55b8eecb3e4e95cdd28434c78421fde6b07f582f1de2fffad868f670f18502d5b3f7c5df43c5729857

memory/4016-840-0x0000000000400000-0x0000000000567000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WINLOCKER BUILDER V1.4.EXE

MD5 81dd862410af80c9d2717af912778332
SHA1 8f1df476f58441db5973ccfdc211c8680808ffe1
SHA256 60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
SHA512 8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15

memory/4472-856-0x0000000000400000-0x0000000000545000-memory.dmp

memory/4016-857-0x0000000000400000-0x0000000000567000-memory.dmp

C:\Users\Admin\Desktop\123.exe

MD5 97eb6f7ec0586fe37b82dbe2f522da35
SHA1 7b9995845a89aec0a6eabe7e9eeb446abe8e5d58
SHA256 f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1
SHA512 888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49

C:\Users\Admin\Desktop\RCXF491.tmp

MD5 048a83f8d6f626179c92df89407a8037
SHA1 635f0187aa78e45be4c929feab9c80c5f04333d8
SHA256 202cb1864d650c382d3cb9b493b6ea485e2ea8c91b9c2434400836e800575520
SHA512 913da842da023b9b590f812fc221e04dfa031e074586b656b8404be778835cdb2fc4e0bd46a8b06323423042a220b118b6add5094747fc8ab50bb41378fd09a1

memory/4472-880-0x0000000000400000-0x0000000000545000-memory.dmp

memory/4236-883-0x0000000000400000-0x0000000000466000-memory.dmp