Malware Analysis Report

2024-11-30 02:45

Sample ID 240407-wj8ebsad4x
Target e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118
SHA256 14b10e60af155dfb57ed84d4091fb54f62ba51d77a54e36452b840d715769cc5
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14b10e60af155dfb57ed84d4091fb54f62ba51d77a54e36452b840d715769cc5

Threat Level: Known bad

The file e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (68) files with added filename extension

Renames multiple (51) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:58

Reported

2024-04-07 18:00

Platform

win7-20231129-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (68) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEYkEIgo.exe = "C:\\Users\\Admin\\cWUUMMcE\\BEYkEIgo.exe" C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DksMsYsA.exe = "C:\\ProgramData\\peQsMwoQ\\DksMsYsA.exe" C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DksMsYsA.exe = "C:\\ProgramData\\peQsMwoQ\\DksMsYsA.exe" C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEYkEIgo.exe = "C:\\Users\\Admin\\cWUUMMcE\\BEYkEIgo.exe" C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DksMsYsA.exe = "C:\\ProgramData\\peQsMwoQ\\DksMsYsA.exe" C:\ProgramData\giAwIsEI\wiAcMYMI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\cWUUMMcE C:\ProgramData\giAwIsEI\wiAcMYMI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\cWUUMMcE\BEYkEIgo C:\ProgramData\giAwIsEI\wiAcMYMI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A
N/A N/A C:\ProgramData\peQsMwoQ\DksMsYsA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe
PID 3040 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe
PID 3040 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe
PID 3040 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\peQsMwoQ\DksMsYsA.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\peQsMwoQ\DksMsYsA.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\peQsMwoQ\DksMsYsA.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\peQsMwoQ\DksMsYsA.exe
PID 3040 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 2780 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 3040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe"

C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe

"C:\Users\Admin\cWUUMMcE\BEYkEIgo.exe"

C:\ProgramData\peQsMwoQ\DksMsYsA.exe

"C:\ProgramData\peQsMwoQ\DksMsYsA.exe"

C:\ProgramData\giAwIsEI\wiAcMYMI.exe

C:\ProgramData\giAwIsEI\wiAcMYMI.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\python.exe

C:\Users\Admin\AppData\Local\Temp\python.exe

C:\Users\Admin\AppData\Local\Temp\python.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp

Files

memory/3040-0-0x0000000000400000-0x0000000000476000-memory.dmp

\Users\Admin\cWUUMMcE\BEYkEIgo.exe

MD5 2d232b708f4da247bfbea4d08f2903cc
SHA1 15c3eab29b1bec1e84a4491a0c140c54fb1af4fb
SHA256 37b891890a4adc3fee6f3ab2850abb44278fb78c5c5e55eb468f16acce9b29dd
SHA512 ff4e9bc8ba1fcce311993eef8956d27726ab0ff25a316b896a032cff8d42c005fb18c07da985785ad223c5cb5573a0e64e3b5ae275769e4711a195b0e874298e

memory/2108-10-0x0000000000400000-0x0000000000470000-memory.dmp

\ProgramData\peQsMwoQ\DksMsYsA.exe

MD5 f78da0efb54acab45e94d29034567e88
SHA1 23d2bd4bf50e8c3770dd0ddacf4a6def1ce28793
SHA256 af3d23049554f43d6d5bdbb4571b0437c701287a79007ca7d2d6fc4fdab498fe
SHA512 5bdb780b7d5ad2e3cec2da7bed5cde5d471c362fb97b4e2539d6186ef18c18d05df1afed4dd6cd064245795d4e24a25c8b32e28e75fa91e1367fa0e80ed8535c

memory/2516-20-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\giAwIsEI\wiAcMYMI.exe

MD5 b80fa9a18ad9043244274becf0a4d2ce
SHA1 517710fda6760c177190ee786c9b4191a07a716e
SHA256 f73dc62c86e212b8865b3a44ff6e48cf9bafa3e18829fce48da3378a95d22331
SHA512 1c9aca4f54538f0af0c12161bcb2911068d01704b9f054957b643c49419b4d6543de2ca8c1584ada2517db87565480251d29366d18ff0264dee139b63944dbf6

memory/2292-24-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\python.exe

MD5 116d1368a7fc6ab6b09bde40e921a44e
SHA1 77d7cc68d4b1d20f3d27d4b495396be0c5d77141
SHA256 27fd603bfbfebeb1074ac6335c6e030d086f5bff685b03f377640150a1c90fc0
SHA512 8ddea8113af547302b63c192b3c9dfc8ba2444acecff199caab31f7e0564f4b6c3b01a547207eee0b437d3e5ba9ec826a8e2763ebe8fa1e317ae29a841962192

C:\Users\Admin\AppData\Local\Temp\JQcEwQok.bat

MD5 b78bcd1c2e43ebad7c033ae001c4704e
SHA1 6bcd9fd3809e10e2af0c05238400e21e25475eb4
SHA256 18f29ce9fdacbc46854b59a868a3c60ff918afcd5691ad822109234ecd4481b7
SHA512 cb741399b8935e0ee4a006371a7f5c10af46b7cd1d0853a8ff4fe90a3196a43d10c3a9ddfda61888d3051af747a015d8e07ec3cdd33a01756919950a0e153c85

memory/3040-37-0x0000000000400000-0x0000000000476000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 7e86df879a80b1c4c616a17faa22ff97
SHA1 3b7dfd25d0ae7d9e53812e12daac6d273369fe0a
SHA256 d572ee82a0a4af367f0428f92c1b44475aedc3676b67994c1307973d605610b1
SHA512 886f65a7424947b55478dc5bc00fcf5290d3df8dd65eec9b581197dc69d903a51f488e80495734560bd008c0becf735bcc9ea04c9c8014672045a0ddbf0d3117

C:\Users\Admin\AppData\Local\Temp\SWAs.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 f50ecff25d803a6e0aa84f13b800fa92
SHA1 7536d0e326818040869f61910c0035a7807607c1
SHA256 5c94fe879a2c97d581a410c9f8be8da9e45388d6fc6dafe2c719feef704dab0b
SHA512 47acd9d3e20091f0fa20763ea77e10f92377ac0059c34beb6f4054a89d08605e5a086279a29894d6755c569c9257cab7e41a9478b7014988498809f3583d19b6

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 8febcbd39d4c6aae06eeacaebb3bec26
SHA1 d3eca6e85436f819fbf6f7b9e56ebc784fbf7c23
SHA256 675e396461be66d97a12d2daa6e0a5d4fac3edc6121fb8780d6fc0180dffae07
SHA512 87c02228186e797c8d098ed454d6322ff7f86acb0c53a67fdf780cffba32782af40164c83fb7ff057b324a933778c755c8f0fab57aa9ce3b92e8d749d6bddd24

C:\Users\Admin\AppData\Local\Temp\AQYK.exe

MD5 62d3c6e1d77751e8864b05432474dedd
SHA1 7aab363f90dfd1f378573d7f2106c95035907e45
SHA256 60de2da33ac2a5daddb108ae086c871f68ad9d7e8c87286a746569321ded4826
SHA512 952be0e6bfe06f47260d940f50ceeb97234e878ff4c8a5d4b4118ca43982a0067cf5f830bd8f88ba277b317c1a7df5a209e0f446215ef69902c6e1aa9e1fa0d1

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 dc6f471c401ceae730022901362617be
SHA1 eeaffeb8791eb2224fd31300ef74d8018a4a1c48
SHA256 19a879c822e2f022cac90aa70d5833ba380aed589555de7e83b042659918a893
SHA512 80ed906f785a8f57ecaffd7148f3ebfd0813d5bfcd87db688f358d961ec029d170dd3ccdbd1048de6e3ac76d9063408ea2be5b6bf0c444dff87f1f7a47f08d31

C:\Users\Admin\AppData\Local\Temp\yYQw.exe

MD5 4a8ce9b1ddb0389ee6c9c63732581e0d
SHA1 464e5c185cd206de20ae6e012aad73ec3df50516
SHA256 e9f9ce2a594fbeb4afabafb7459dae806600768d3e49cb080a437934ed400b2d
SHA512 291739ad3664a69c283d56911c3523bcf2801ce88c92839d2f021d40896aabfe4e48994b15018b6c0b02e517fe2fcb6da2420197ac16838e443481f05c406eba

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 f5f2f28b3befce5bb6594a0dfed30559
SHA1 e7ec77c53c9c8e6ebd7757eca057e3e60c410e86
SHA256 ab205f35ce474ee4e0e688b0b55487452d1a68c69f3d8f53d8c5027844e8b0be
SHA512 c004ed327bae02580456b182ac89c29d76280091897d0e1ad91fb745c54b5a73425e9bdb6088d9d88ac0feed687d1ed6ff4afb9777fd0bc7fd3fcb528b66fe86

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 c46a7d8d738aa60c294c42e655beec30
SHA1 d1b5647037500a9eb1854758b1232b66a4cc55f0
SHA256 6948d0095ef9f6fe71377ee5232a2929dfd1c2e0e8c37b3e13fdd332f151ad61
SHA512 331a6edf157dfc8efa88a67dbe2d14ea5791cffcbb313a793a2f7888e2c0c189b4920ca7809a959c6226ab53e7714c58493f6b454fd3df0072950f36adfecc85

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 80bccc8ffc14e6525dace10627298513
SHA1 d9ed477c699a32b78c1e71e707d7940f20f4e3f0
SHA256 3d6ee4ff650469f10a12d94dd4a646c8ace7515a3ef9ac271201b1f9ac0c4571
SHA512 62ac9f0fd4b4b5b3a264acd2dd08472317d8a87cea0273f62f14ef000418da71741626f2a19675f2cf74cc83063d77f4aff3415a06b21e96a14d245c280d4536

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 da267925bbc659020e87004e2aad83fb
SHA1 f73dbb331299607796f05d59a0062657cc302d15
SHA256 189164753576b37160eff0b34d2a86695cfdfb8d208e3a5c2f0f97ea40c4638a
SHA512 a8016196022dfc7480070806595dd4406dbde6093f42915e87ad2a30160611e35fef06cfb5818757528445a9d539b6de2f38bb9ba52a2e6b83ba13ced1157f16

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 2db3f2ff4e6faaa528411d6c22d1f418
SHA1 3ffdc1360bf12d454aade0a9a4457191d7bd6bc2
SHA256 d10350bbcb6fafeab2b57e68fcba600551132f3ae416d2b775c75d355ff59d60
SHA512 7b515a8352d4ef3d211bcc77d79e16c9b31825813d7684273ed5b7d68b5bc04c4a994c34e6ba25a136a8845a0ffe6ba56e9c10354f72a617cacebe997a8cc5ea

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 75566075b39fbcbd79256e2fdc95390e
SHA1 e70d907edf5e48f4477b19257288b7a919373c7f
SHA256 866c3011e70db799565adf7b7089092507f4d54b709e0ed65ab6cdd6a3255a53
SHA512 83f1cd09c517eddf5a40b493da3d6233d902e3040435df3a78297c21e6966695f595a98d1ef654eeedcc56f49aa644dbf668b0943cccea8d68c70a9fda39ddcb

C:\Users\Admin\AppData\Local\Temp\YcIu.exe

MD5 94fe6657c70a120b3928964e967c4122
SHA1 8237d90daf4eb0f6ab00f4f3e7d4e75ea5ca85a7
SHA256 1696a9d54e90b3b1c7368aa704afb6055919658201495e4b2da7258e589dc9c5
SHA512 5d6e0f0efa98d8970351194e5e35571166a7c110932a30fd0e7c75a22a6104ee4156e7ccfb0a79c9525358994ac911dceefd2640baf3dcd596023782738e4085

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 34b5609de976e18c6b7dee6daf8eee6a
SHA1 e20437dd506c7d646c5fefdb070373c72c7badfd
SHA256 ff36cd66c54b42e89bf50b713a6fc6aaa0b35be2232e79869a725f4fc0d8713c
SHA512 1fe337ea9f9a4b5cc184ad0da6b191913e6592b1b7bd59a8bd774699fe24468222908cf0e03f272aa690875c17a759267a829dab8d34ff36cf7bb1f4e90675d7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 510b1f242c3b9be28f09b80397668dec
SHA1 58e9bd77e78850b8a4609fa7cde0a4e654071f05
SHA256 9a6849d71717c22eaf99a14459e920618940c3c2cfd417046dff2ada43af0d15
SHA512 6761c329112e7586318fa0825620deab924124e2d58fc8e88f3b72bd571cf1fabddbebf0573b216bdcb9476a19fbf446a3c73344710e1ab5915cb416d32c1c33

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 8c9361e8ff4470007eb942a6a9f6bfd7
SHA1 07821c5abe53be56e7aa3aede60888dd4636b126
SHA256 5d466af58839d4ed2934c3b7b88c301154382afcc624eb0655d042d9a20ccf2f
SHA512 48bb69ed553a82b5a0da42fd172c50fadf785b4c43bf3af1ab8182aaa73bf4531ede6b90238b565f5136282a961b1d87fe7130d7b5e38822cd347f23b739f871

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 24555f735a9a179ddf3848b5a4cadc08
SHA1 7e8b185bc6f2ba9222c51ace3d213f0e7782838e
SHA256 1608925d1862fe56d8d8374e5773576c5008b8ff13b15a7b49b242f760b7c1b2
SHA512 177eecb46fc7cd379d77016f6024c64cc106eb20d385e0ed0ab9b7e93698e182f6baa0711a347f164c8508b2d11f9f86ea36d5b24f87a62f3ff0ac0894baed08

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 db3dd1c2797879105232bb1bb14c94b9
SHA1 3e9225d047de651265af947aed20f7462b2b7061
SHA256 8334f51edcd0472201c792461a73a03eaa20bbe9ecdbbeb8e356a4ec3c27d67d
SHA512 a0e67f35238c4edbd0629867214d8511d8dd9c2f5f0c73e6edacc1a51f5970fe81721d3939f78f92ab779c9a9121dcc3104a498ebef5c90fa1c1e0f60e7eb9ba

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 3994880193bd3d5050a6256c98463d1a
SHA1 2a156a15c53f63e759d9e2e1089e0bb6277439d9
SHA256 f817fe19bfe2df311650b6d614d20ee28d7879becf11e57b9f623c862106d1c3
SHA512 81d6927132d51d3717e7999791935db7562a90d88496059333cb2ed41bd43660d152e67036b009e1b6e43d5aaab73fc8bd42659be00089f5fa21bc4438f82e1b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 0f1bf07dc041799e8d5f64d7720fff57
SHA1 8c6982d334c069d09a4fa906374ada7dc50a1652
SHA256 1d540bc9178b3add47e14c570eafb2cdf14b7d6b9e531d4345e6a7445ec75f74
SHA512 e4311eea85cc3b25cc4261a776b5aa67f7f5f545ae73a29ebdb4be8a1a5353443deee82cac33134bdfcda7e304ba33add51e9564a5731375cc24b300328fdf0b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 4fca989ca39ed58fb3f4d194d442d90a
SHA1 52bd055ede31b9c9849bd84003fe4f7673f4a53e
SHA256 e2e06e80a33c68523798857f4fea2c8b9f7e70e8cc8ea43bafa7215533f38f46
SHA512 e8d653a3d467a423fc14b28ad8c1d74d62923c444ff6de4c9953cf9010cdf8903409b1e610ac81f48afd9935793809a034a50a1ea7e16b5564f2021f77ac5f79

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 8e27750ae9f319bdca2db6859a86e975
SHA1 f8d245f90594dcbc36b4974f567c5ee3fbbb9415
SHA256 eedcd1c705879940a441a974b1e2e463a9f1c593ff2cb3083e8cf09e492ca170
SHA512 4853cc9c1654dcbb5d5cef2ab3144becf2b1fc54f7271c4f14cfe9bfde92ecc1c0832a130aae13cf813c88321f2de79ff48dd7e1888bcd827f16349b165e51f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 88bdab04c2324f5316ba4244e43dd3d8
SHA1 b5f4c8f77c4478d09953c7c504bb7d10012c2aa0
SHA256 2d976a8620dc3f0bc6d80f0c5562e77bcd01e329740f9b6010a76865aae11b23
SHA512 12d1d4698e283af9e1d29dd3d9ac830a0675469ca9ef3d206fdc00ee64c726d3973f6b3df05be72de79169fad3b6a11489fc6a546c52293b09622145b90ef26a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 d3f703f9ed480b7f3d08099a25dae980
SHA1 406cb61db55dea2635676ce06754cb08e0a6c39c
SHA256 9028374481083824cc2899860dfda6e2a1a07cdb0157a7a3cfa5ee8fbc608373
SHA512 116bff22aa236ee390f956d0673ab02f55bef24d4eeabfda16d3cccc9715fab34cba26c59e6d034097e2cf16c21d88c786064bd186e90825fec152390381147a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 5ed662ced4f3728082aebd757ada057c
SHA1 96d48c9cd56deb88920ef1cf7b6a7986af5943a2
SHA256 f13a0dad2614ef87f52c08f65b9f2542cdd14f22e7e3f734b3311cc3bf6adb6c
SHA512 4449b8156d574e11e54242a850c470787faca0d001f5b9b2d6d93a53119ec51f6d36b0d5554c6abfd7ebdfd9dcf8429672fe6db1264399aaabc9d9a07b2d99eb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 3a8b34ed03d9b5dc8cf34ffb4900a527
SHA1 aa60df74b23e0c40943cd5a9dfc249a892bf13ac
SHA256 fa098a382d71177b7849a3be0c32b19838267eec0704392e34d23617e893e754
SHA512 57e24d8db39f892da23b13d960dec4227ce568cf00beda27e968ba4a53bb2ea6e51e949df825da1b321687b059bc621fecccfb939893e37a6da8203703363d41

C:\Users\Admin\AppData\Local\Temp\qEME.exe

MD5 c31581f3c19b311a4fe44cc4aabba8f3
SHA1 ee972e7a37450248234af5551a7de621618b372c
SHA256 71138a6fb20133eda056e73e684259b900e436cd36ce4fd57ada79f7a661fa2e
SHA512 288ccdcea8a8a345e98961f32332a724985fcb353d80e67b8f8ebaeecfdcfdc434f41bf1fe0beae189f6e8aa383e75228d6ba05dae9b638720774dd037573d7e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 326cba1f491c951ee2b80ea63eaecdb8
SHA1 47bcc1dc4be95ba501585848ce7c1d4a89c24cb8
SHA256 c360bd75e5518472aebcf6a946cdb03a4d845b9d384caa6ab54ac3bd20097a8a
SHA512 4d75d24fa8f6f0f5e5733fae5e0bbbe49dd70e8b794778e5a6277e6c5881a880eea7ba619e0127ea170f0541420a4f336cdbd821f49c3b0f328d75ed5bec5f22

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 41b55c9388b96b8eed85fec0c02d5b51
SHA1 56c832225a6ea99f22ec48e9be6536934b920ce3
SHA256 a8af1c1d1046b47baa8406b49218b2ab46d10b5edc35062f217d593a41c8b797
SHA512 80fc5c6e31c2283b4cf254336b91e736c53e7ac2ad5422666cd033e6c8adb5741a35c5f2e4fe94cae21432a609e9e20a8926a2c0a091c64eae6412542a6fc365

C:\Users\Admin\AppData\Local\Temp\SAwi.exe

MD5 146ff437b41d84b3d1d0a451384ea0c1
SHA1 95f867b60a3673d56e173268740b8ffba28bf510
SHA256 a2576c95373b61ec6766747f729cf9453ec2f3f2f8ec1392fae56d907a7e57cc
SHA512 ee4efaa3c1ebe1ba03cfc735c87750916ea746e6da693ef71a26196986b2b8932945fdd2dbeb10e9d893de1d89321b99bfa22bb860d5015be70273f27e5f84fe

C:\Users\Admin\AppData\Local\Temp\eQAO.exe

MD5 b3808e7ac3e5303d8d474c6ddc31c06e
SHA1 052bc2f005b770b8e77ff0686bb1f8f373dc96b2
SHA256 896acda26c0a7551791264cb04f6888274ea94f01c1b2478c8d571512ff8d3d8
SHA512 a69fefc755de728286a62655dd34c7a36f4a05aedc6afb35c1ba2cc48d07841bb1d73173a5964f8e47232707526fe0354e9d53c78ceb44ec9c4fb220014d145b

C:\Users\Admin\AppData\Local\Temp\yIIQ.exe

MD5 a6bb4d2dbb605bfabcece72315af4348
SHA1 e5cd58f763015f4a83f6dffba79462a69b21df57
SHA256 c3bcc3825a8d5ccd0e64a247003cdeb0a98c0501a9f86637ac0d3b06d36537f1
SHA512 c03e13e13e2761963ab78966ccc64f59b1babcb8832c7d5b557c3feb1c94dd346f096ee30b40e7fdf6fd98b526eeed757f9db67a5e57cc62e5a1150f548c0f24

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 ce7dea0edab57aa1649c64c6af886217
SHA1 a197fcb47e69fb99d1e06585b9ae96c0b23d1201
SHA256 c960c7b53c0a206854888d53fb7f7f360ebc672e6a45ec5560fbeae4c6da5b4b
SHA512 ea7280f179b32338fafe6b0d18bdbcaba24bb9a011fd98cc7514ec5e44313b960e10e73f393e9ae04be81265ef5bbc0b8af9b53803cc1bcbe644e58e6b15d648

C:\Users\Admin\AppData\Local\Temp\KUwU.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\uMUk.exe

MD5 817efe7f233b0dc669213be604c27d8c
SHA1 77a0605de9080d303c900f4129fa9db21a6c7937
SHA256 3c30c6bc2590349eed0f00a1ddd946586e1922ebfa69a570ba5c8e645a9f3d56
SHA512 e826ae21f08b489d2aaf4eb8bd2273bfa299a40f0258224052442faa1aa9e7375403ff7809d9f0d5236061163fa2177e5c9b0f74d6b78fa82ec4f2f40fde2e03

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 7c05842c1e511215262764ca3fdc6b95
SHA1 64aa0abf1cb4430aa24993d4186a880901e307b0
SHA256 7c1006d0b76ccbb117ba94191b08bb8380f5cc04bb6d91ef43ec88c2e1d2cf5d
SHA512 e8463dbbb88d11421bde615e6e71faa39aa7cc39543f7a992c48798a3ef6bd52770ec7ebd33d0c86c531fac69329ccda727fe8d1bb9433d6531d6a254b98f715

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 72c687fa5ab734300d82d640b4a14906
SHA1 d147da20ee3dd0904d2383d5f64fbf7012cd913e
SHA256 134f0405ccf40eb7bc9ec1d8dc85e33c1afc5d842ee4ce94a3161bb43f02f65f
SHA512 fb6b207b6d90b1cadd150f730389e3dadd6a1adbdf652ba0febf0f1ea364f74f403e9bcfbfb29d3404029c7b5bbd38bd5a74e9c9551a5ece4899c7ece54d781f

C:\Users\Admin\AppData\Local\Temp\kMQq.exe

MD5 d13219a9a2d08a8a5359dd7785cc7753
SHA1 fbaea2ad89ca113c1be5893e1a4d9c96e52e404f
SHA256 185e3527d2066697a899be32067840958bdd9254689f40263ed46dd4be62cb6e
SHA512 263049fce1640c6ac11ce39dc8d8aed15ae9d2abd1c96dbca267e5c8d14d1cc16a07b910627aa2c91075370b8c60872fb0c1471e5c6f04836770644918b2452d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 ccc3bf424911aa55acf6c7bdbcac55e7
SHA1 92f76b5b0a2eae641066d45f4bc785e3543e48d9
SHA256 179e021eb1877cfd8ad0708c56be00da2d15e78ae94cc71cefae75a640adb6db
SHA512 35bb04cc1f8ae3038c338dd01089741dba5e31dff6457bf85d5c2020c6e47b163b1a6147f7d771e041fcee190c71039f0ad1a512a6c75b1014dfd7dbcb1777c3

C:\Users\Admin\AppData\Local\Temp\ccwo.exe

MD5 8280f9e815b5332314f914542d0769f2
SHA1 1a6c004a639e941a32f8db3cdf52541d5f933c50
SHA256 a5b96017c3df26cbd8dbb685c5502739e7bddf1ca7ba95bb17dcfc4a1127e48c
SHA512 3aa4233af92c0a1faa624f3c30037992ceb855637a06ef222baeb87c71f2500d47b381b5e30fe7fdf5137146c12012738e9a815482122e74d476d31a47ba28c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 dbfac479775665dedd42d60a4e9d7195
SHA1 8e44e5ab28a0a9e8f66224b1feef34edc2c7f8b4
SHA256 dd92dade850c4cc2c4449b0b97ef692e8cef4771cd097c5ba54bc471fca64bbe
SHA512 4ff4c9cdfc70f0f5d75f11fe8694360c946908879fb8e6b26167b2d19bbeb303e13cf06013285fa2a72438b6b812b27f838fb0613d6918c3f2fd99ecc15e8c4d

C:\Users\Admin\AppData\Local\Temp\icUS.exe

MD5 347f86db32564f127906c8ea49dcaef4
SHA1 1f01a6084b62ae0bd6d2fd7912254de4cc6d59cd
SHA256 dc5aeddd88f93273b39e8143b0a314d82f36a13bbba0740bb644e30067986993
SHA512 0d2ac4da4811e388db4ab56f59b7668e3ca2806781a4b89b89aa3cdbd37b33c6d7af919f4e0603d162886087d8d7b55f533d39378ca93d66229bcddd5e3016ca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 819f56cba256ed2b4fd6103bde916699
SHA1 adbe3984c2a84994759cfeee71713ddcff848384
SHA256 b88d4e2cca7643124039513e14de9fed80354c317b98da21f2f7be274d43ad62
SHA512 a87e310d6f5e2f254deef5c2435d2223c6a7e0b6f24b5c520dfe0be4957628c8ec0168d0895ddac4117419524b1e5f2518b5e43ab6360b82028242cef53b29f1

C:\Users\Admin\AppData\Local\Temp\AcoM.exe

MD5 44bba0154435673666e5dcd0b4f3dea7
SHA1 e11b35116d8dd20b2eef2846bf3a2efc1aae94fc
SHA256 4ead6ec86d3c6703e168a8bd0db97989aa103f4b0bb5603d0b38e8a475f562fe
SHA512 ac2e8fb436a58d85917617f48752f4c0aa01ddb4b8646423b2c66aededbf2b94612fa7364f907901b8578952770fad899011649b25ea3452ce9a1b3a637fe1b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 897d24d1c6e611db78dc7bb53b397d9d
SHA1 621ad0bca60af6c161a91fdf420ff6a66f27a8e6
SHA256 d286f523e2cdcc4680518b84f589b926fb6d9b11e4af2f92db192d26f4c7cef5
SHA512 1045b8e07bc41531fcd0d1030c57aa8e0772878f13aab02d26fcc00bba9452f8527e6e9ed2ea2a3d9c062050ba73cd77976b33f16dcd77f3126f130393057e15

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 0c4de16ec384b1fe0013af0ac66df2f6
SHA1 5b8875156bf4d64f45270a48868d9ca466f576e6
SHA256 b9fedeab038e211238fb795e07effd7a12ecb72f593bd493aad7c2386c3c111f
SHA512 552e043998fa42447edf944f6e4ef218aed5fe7c0cfdfed2f0b99deec476c226b90ea2f6862224dce82685e5c445b93b8bf71e4bcd362b2c90b5c7cc83905331

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 b7eb19ab17b6a24d1488afb52b30cfac
SHA1 5c5d23a0488698cb3ccdbf6c5ca839d0df77f96a
SHA256 e7b971859c8043bfd572f00d71343f34afa1c564de17254b6cb2f8de36792055
SHA512 c7f0a2591abb4db15bf804fe6445ed390fb67e35db41d8c6433498086f4ab5446ac620ed2624e76b371c8601de022f4cb3222bde7e0f33799c6a3f11d70817b3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 1d0d03c390f17490301977f7c3f2d494
SHA1 7b40a43faa6045956f81409e704771322bd479ee
SHA256 edb15cf3617c327bf28df18bca18eb1dd40457f92e2b53b3306a34f00ce284fd
SHA512 470a1ae56e8bae673664d01fa74ccd59e6d8e4592fbbbc0aeb7c6bd142977b9e6dd7d9451babe6e71d9ffa847076fbb508e642c200725eac63bfb4296dc86674

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 7fb31292ca6df962436ec70aa405eca2
SHA1 e0d544e1734dce60dd2e728c70746168f168297d
SHA256 015a5cea2e962caa8c1e6e346a5bee144e02947d0e8d6dacd36576fa50b96dc9
SHA512 89d21a4c3b9749605ba642d0f3cb36dd5e453989203b9a93976b8682b442ae29c7e5321abd6287704c0775c5c8037fcd3f882b54c2eda3016c274e966036d718

C:\Users\Admin\AppData\Local\Temp\OAEI.exe

MD5 3aea05f3af57c2730fb7ade02898c4a8
SHA1 be92e08c23ff68d90b9e5c047790718b1ad9a139
SHA256 08784ec29669325bf62ff337e1b5b982901838356682d8ad5db2ddb9eeb922c4
SHA512 fcce3bbc6e013e6d5f5a7b5760c098f334bbb8869a413a17900799b3c624ccdfecddeac84a7a093db7d413e4f5e0f58158b7697035bd6224785f0368bf192157

C:\Users\Admin\AppData\Roaming\JoinRename.pptm.exe

MD5 cb370d618a4da69b6700440f9d36db8d
SHA1 bc8b779383a0c32589eb67e32c9c8ceafefc374e
SHA256 bdd22cc20ed0d843f4d729c4291ed589b3269986b7ba21929b0663b83528eba8
SHA512 02e5e50b15644113b60f72d37af3a17b0b98fc7387c0ca303fae5d770048ce280a12c225fbc942c4f81d270f8849756362736a120997b70486f02be00fca24ff

C:\Users\Admin\Desktop\ClearPush.docx.exe

MD5 7601faccc2f8369cdbcfd45d1e71141e
SHA1 e78f9daece1607f084a868363690f6c18b993906
SHA256 0faf6636e0dde511d0ad471eff260d5fa9e5775a877c836afca3b5e40acd4872
SHA512 b744af26f762cc7a156dddbf05c13c418d763d24b341e312cbb3428e64a9612f848d79dd601835a3fdf5e8a5d8314bd1ecfcf91bcd287357f7d7db18c47b2d9b

C:\Users\Admin\Desktop\CloseSearch.xlsm.exe

MD5 493624a9f9318bd770d746a8614a83ce
SHA1 296744155dfc3f9b5887c5d645a6ea8f4dca206c
SHA256 f04cc0ce56f3f4d2ac6ac8828049d53e8060e754ab18bd2791ec0207eed659ba
SHA512 3f5e6493e31edd6f7a2c6df99afa6831f02b355cc2eba2aa575f7222119a047347c99a5f6e5fe517e926f60628f8909889fcf7ecc62914f2b5c86ff6caf7e9ed

C:\Users\Admin\Documents\Files.docx.exe

MD5 ecefa26025e3a7c0dcbc43032f7d574d
SHA1 78e03b76e826560d181404120acb3c3faa627dd4
SHA256 1306159ed17d1e38dac3ae38246615bff582dad4a8793350487e345293c359d0
SHA512 aa09c0766f2e486e109f2ebdfb7df6162a2bd5f49d8fb2b173ce458f169f82aa4f7dc548823baadaef3613c84b80775e3cad1eb1924524f47211f969f55a61d7

C:\Users\Admin\AppData\Local\Temp\ScQQ.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\Documents\MoveComplete.xlsm.exe

MD5 239452faac53dace7de9dea4f1c970c1
SHA1 9fa85b192182cd90b58ef6461213abeac0b4da98
SHA256 2a31e92bb754708fe3a256c1e428a1164d64fc1195dc98c5ee196d7d53305dc7
SHA512 b5f669e0877f25bcbc53886c5096f5dcba6e29df67d29afe3ac8a8c233a3d48e9c3f37e430c39c9cfc85e70d1936f3db97d1f53d4de56ef72efc02efcaf9c320

C:\Users\Admin\Documents\Opened.docx.exe

MD5 de116c17f384c17c08bf665732cb4100
SHA1 65fa1ea21e5f07e4b457dd0a9697e1b44c6171bc
SHA256 bb7e4b852d61069005abe17022f908c0458e5610b48ed6b7e15603f5f78b08c3
SHA512 e02665645acb797815b5173854b3d521553de611a6f370df2b1a6b6539a8e900927e2645d9410c7d6d436b11ca0fbd05835a24f891a6d79c1103316d842b86cf

C:\Users\Admin\Documents\RedoDismount.pptm.exe

MD5 9901d3a7bdeb8eaa1bd0c7cfe05e361d
SHA1 a86bfc84e9723460fd61ea4c3cf7b9ba0234c60d
SHA256 5f3d439c5dc4d35995d600c3618b7cd8dd920d7167ad62cdcd7085ed1f7c59c4
SHA512 ce3b6886975cf923be550368eb60f8ae1e67e98c245b56c8e19e6f3754f7f5b7a8393780e44de0eca4e867a1c37f0ce111265bbebfb32b3ff996593b79552adf

C:\Users\Admin\Documents\SaveRepair.pdf.exe

MD5 e1e55a50708509106c07c0e574078cab
SHA1 19d777becc3b591f6abf15369a44f07c29417568
SHA256 fe450c505374c295fb255d971a14c8da5664b7c45864fca0aa30c2874abede29
SHA512 2a4ec6fe8508ee9d3342e169066969a099d5068f44e79fb33f5013bb5b922b164f37202a39b279d6628f970e836e26f977cc7faf728fdb22a19c48e16b6b83c1

C:\Users\Admin\AppData\Local\Temp\cuIE.ico

MD5 688d7cf2301874c0a5ac820e9fe6de9d
SHA1 d4a770a4f77b473611cb375f7c3a6f36e9d27c50
SHA256 746bfc348164ae5fb1183c53bc96ff184a2ebd2d0cacb77ffb7f5161901bb179
SHA512 3f5c7097a3eee67a0bdb58b820b7285753dcc9caec7d4a7f230e396fb26ff1b9601ab049fdd5a37244ff9a2f7445172846019b2bc1e9bbe02ba075f4cea7abb5

C:\Users\Admin\Documents\SendPush.xlsx.exe

MD5 25efd4c3ad255447e437ee3e9cf2eb5a
SHA1 0ec06edb3d510898e324f9c0ac74d288d6eb7f2f
SHA256 61a6dd1f16c73b6393e78d09258392581508c4e773288089e8e185962874f060
SHA512 2c076d4e438195384773f42e5661fb37508f023e2fc02eba1cfa40d561adcef8eaf6c503dad57d84e0ed1a4a3b8bb46d45b79c33af5ae8b9565103317e196ebf

C:\Users\Admin\Documents\These.docx.exe

MD5 b4ed5186b6f03538c5e23fc6bbd4194e
SHA1 dd9681ebe60afa028fabe6488c7eeb634c28999e
SHA256 436f9d3eeea4fdc90f585499e0388fd49f00035a50c5bb220287c786a2567592
SHA512 65becc4b986fdfad76dba9b7a0f3df338deb14993afe46ab4f262e38b463d216d6a9cf4b70edd4d8e2c108608831f7d46c8e9753e8399d42fd2e49e318e9e68c

C:\Users\Admin\Documents\Are.docx.exe

MD5 17836b860cf29ee333d2bab60672ee57
SHA1 0e24265de683c5f17d2507d0329491f32fd700fd
SHA256 02e9c3f44c73f686b082ae4f5651aa8a916ba5f020ff511a4f4c80ab9e13912d
SHA512 59cbf5edcbfc89bed96e5bb15d4bd05df3d305f45ecf1e80a91b86d228213e67270adee408eaff837428c8da4324fa20fe49da8b0874bee7b7c8169d381bbf37

C:\Users\Admin\Desktop\CompleteStop.xlsm.exe

MD5 37203505fc52780a0a0db7a8a40fa0b4
SHA1 b99b8f1803fc09dfb0db319dc376ac7a2b22a885
SHA256 34712c919196c33f75692cf8769774369530317622d5d5bee84ee0be07c8db9b
SHA512 269e52bc20434560baa52494cb07fd278649ef302d739eab13bc4b7efefd859e5a08dcc28e1ccf9a868d4f60e63ec1debc5a092927a9352e8ce4e84c5295b695

C:\Users\Admin\AppData\Roaming\ReceiveMeasure.ppt.exe

MD5 23e1a5c2e42b2f9095b857f442454524
SHA1 2fb77e5eab150f913b1dd1ab809b1587cd0b592f
SHA256 6e6eefea883dd23ea2a4b00a62a8bd532e53902b38eafd1fee096368ddc87a80
SHA512 1a78450d3d6685306fbb6a1c77bef6982b46c04083d0dc3c0e0d07d57990dcf5fd84655c9ffef2e0cec3c5b7138cca64f29c700e8afcd7f4671b0d0cd56aa340

C:\Users\Admin\Downloads\ReceiveRemove.zip.exe

MD5 9c578fc86ec9ef42becb0cfbc1691400
SHA1 ca26cf54f2764f3d0ea990c448c315a0e677d9aa
SHA256 646ed78e5db1ac207f605addad5639134f85820d65cb1628026967357a155a4f
SHA512 b2247a198b558c382b00b2365b976e29a60273545ff4c842d50e66cf0822ef0b08c288b60d96220f1be7eb0aa652669be952e19c0a1ee7b7c7c7df4a7006c27a

C:\Users\Admin\AppData\Local\Temp\UkQi.exe

MD5 3701e20bf1d7bad1c5e675f08d9282f4
SHA1 e65e35e1e6a92761c62ac0b4aae56c3dc574e199
SHA256 6e9ec254b81f43667c34962627eadde817f77f68d5caa09b357c5fccac758c3e
SHA512 204dba5a66e06d4bf770a0322e6ef0c213b477f35d32ac8a9421444c2e16a17f4b8df60c570136a220c432ffde481850cf56994d6f84646be1092b26deace762

C:\Users\Admin\AppData\Local\Temp\EcYg.exe

MD5 6a48c145a1ddb1dfa4a71f9b3f739b63
SHA1 18569812c46f5da691d59cfa5b4c3e04d051c1af
SHA256 4bcf1eb52381d63dbe02c3b7f182e43a069e0da81cdfe429a69d15f969df5ccf
SHA512 4fdebab5febf326fbbff39569873a6b13627a0768ff9e06b2cbc547123bb3ea69ca7c8d12bf17ffd685fbdfdc39fc9e193da453957f7b08288b844af40061e57

C:\Users\Admin\Music\TestWatch.xlsm.exe

MD5 bf0fc4f260a13aade9c71c77f22c88c2
SHA1 e1881ae2b30a8499c271b1014a69a2882e480d40
SHA256 e29be951e7ad0ec197cde729d2937b5194f5a18e6e2bab2f42c75edbd8c2b089
SHA512 78c30d6f7002fdb2e74b438ab931c8cbcb381418a45ced861f0894c5d301e17e7265c02acd106487b4e09c65d0e96aec13af9c0db46754f1e02035e38d7fb783

C:\Users\Admin\Pictures\CompressRedo.png.exe

MD5 b27dff8cc9597f7d93762b417ece08a4
SHA1 8146feaed167e7661c353ef9108e55d6aac46bd4
SHA256 09d90d725002a566fe0d37348032f58d047a1b7d4fa33213ce3fedd0cb6d2961
SHA512 e05015c8431568d6cb4152d18fe52470d7fe02015e9f01b063700a354bc87b9df7a808b13f8e85d1c9278e55d99590e494b749c2625b49ab0af2a9a0b13adc1b

C:\Users\Admin\AppData\Local\Temp\cYcS.exe

MD5 1a7dcc97d20d1927c6eec4e631f30434
SHA1 180f3fbfa6c6a29b6e3b2bbaab72f5fcc28961f7
SHA256 0dadfa410b35ecacd15ce6bdb6dd0e48f80483c7727f296f5225168421816c31
SHA512 2d3a57e5b78ef8195c1ff0d98a32b675c146d728e90476937bfca4cf6ee3bfe7b568da392f67caa64b442b012788e6065c40e0f697fb1a8219a96a9166c5b931

C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

MD5 a19a7ca4c661d8a69d2e6e6184662658
SHA1 2dd57be608504df6b9734859ab38262f2d538e00
SHA256 2ff76899f54a371f41a401ad3dcdc18416bcc59ed961b1b5e85a350f28417fbc
SHA512 0aa3ebb6e0c007d1c8dc13d23fe6d864b8caf2499d59a49a2e4bd003e85acd8c9a7231b932c8c3b47455971bc796b58b99638c56fa859cc518337d694bff7b90

C:\Users\Admin\AppData\Local\Temp\IIoW.exe

MD5 05e43241be9dd0af05abff3f4e60b86c
SHA1 3aa85d213971a99a846b5daaf27ec9feea0d2626
SHA256 8fd3f2055767e1c74f8264efb5a4b3f2a5bb8e544bc59f0450d3cb66e6ed73aa
SHA512 e201d8a33f7d0d530e24159adea798e92af9d4eb46f9ee00a5beea61a1be18484098c1e79312c67f99397f87022abe024e9de575d75f313281f90337ff9821f2

C:\Users\Admin\Pictures\SetSwitch.jpeg.exe

MD5 a25297b046fbeece5a7ff72e8a753327
SHA1 b3d24ac268a93c9a61f940e227f6ab3341f47b95
SHA256 2bfb62e274b321932e7a34400d2713d3c3429ab24ec681fcf4e37bd258ed2e40
SHA512 597de78e65d37e550255d06be5f73ad0d37b7f2202b60d0692dd29b1742c4bb9448685e20fdc4004657abfe1ff5dfce0382c88e2d4afbc37ab1002f2ee98fbfb

C:\Users\Admin\Pictures\StartRestart.gif.exe

MD5 917c7486107ec1363437f4d35b815ff3
SHA1 7314ce118846b821df3e1a8c000411ed1e39525c
SHA256 888afe817700be409dbe233eba173a81ff504c95f2c06c598e77c5eb799459de
SHA512 4a4861f728dbff0dba434c8619f30582bbd11031676cf53ffdec03d04029f8deffe2d8cbc3a40e4e5c0ae7faf3a1e93f8ab01c07b09004b744d2f25c656fc27f

C:\Users\Admin\AppData\Local\Temp\EqsM.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\Pictures\SaveSuspend.bmp.exe

MD5 0122481f89b0f176310261efb9cc9fbc
SHA1 eefc07b7ab4ecdd56b050bf189bda7120f563567
SHA256 813f828eba06d22a8404176b51d3323d52e339a6579e505e98c504133fe9055d
SHA512 1e5023c0e5d87a1451a3d3d2158b4de5516d27117b624cc71fe54f9d8fcfcfa9ce1623196af77816850b074f1c2acdc359699b9282258bed6f53a6ff0797a540

C:\Users\Admin\AppData\Local\Temp\gYgQ.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\Pictures\WriteComplete.bmp.exe

MD5 bde62859e3e278824faf0425f7c6ee9e
SHA1 7344dd26ae448a451741e56eb6f8c2ea5f5ec7b3
SHA256 cae663bd2086c5c8e698b6b8b4472c8cbedad1799c10077acaaec186ada9be6c
SHA512 75bb41465daeb0502a511b0b714a882a727131d8720ba356314605e89e23e72458c0a2483e7d105a528bd8e0b5be33a00fbf764887243e257012f3595eab5731

C:\Users\Admin\AppData\Local\Temp\IUQO.exe

MD5 48bb077df7f76b8d59122bdd7f039c2d
SHA1 40b2f3243a20bc236f07b8e5cafb01897e1503ea
SHA256 b82a672a8b04b7c9938a6c3d1eeb78e2de4486a18e0dd08e4114606d9332f8c8
SHA512 b0d66b44e4d8f80fbd85dd5073382738b18911f9dca73c71d0d59f42dc29fdeaa949a001f20f0bf140c007bb6d028bb2e044a36c9d5e9e16658638a5f82b2202

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 cd24e771640ea0e76c1211a671c2b385
SHA1 4e1ac4fb2aa6ea044cfbc08e0280c5492aadc3ec
SHA256 d199ae030ea3cadaba1448fb8ad1c7ba1276d047832f2f332a1409b7539e6f7e
SHA512 5b81b45d334923feab84a8247ecb9fbac84a534d71c914fd253a6dee9f6817a0609d139443445b63134fdd2a18fb8e02e8f924ccd35ade8c1ff24524951e0561

C:\Users\Admin\AppData\Local\Temp\aIoO.exe

MD5 e3c80a4357e3de2ddb45871bb8c52b2e
SHA1 6745143f97b163cfff46b90a3892cee59460f985
SHA256 5bdf15b4c1f070af36a6e6f3a8759b5599401ca10af85291e13c298e513335dd
SHA512 a980e99e2ac5c6cc0743a99027c057a17bb8b91e2488c2f350ef00eaf08fc1c806a8734d9257240e6e2c37e8610d28e2ec38192dd62eaebb8fd64142ae12366c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 7acfdcb3f894072cd0f47c554de4e1fa
SHA1 443d033784c07fd0a61f31b79d1ea7941669ae3d
SHA256 d291e5f567654712d709a11b7b3406de0230d2cdcea2139ea6c0d854e4169534
SHA512 1e1be6567b4c290eef8bf99fa42ab7f5eb9eed75921108705d5089452d68d83a1119e9162380444d10584d570d739f8faf3d6d4dd6806f30a6f170cd7a2634d1

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 86a825c54c3b7d92763c35f7c7960591
SHA1 a59742cf5f8d0b67aadf95d0817934011066515e
SHA256 45c748a26299167b0cee7ebf845275184d308ebd922f970a7a725eebb90ec479
SHA512 e2b643c1921af6f7b6589a49a7b29df41ace0be781d31b33fd39cfc9dccbb7e6cddb0b46ac75c87c03fd21d0c60e6d5e6869251b10900dd10571e7deca402bca

C:\Users\Admin\Pictures\WriteMeasure.gif.exe

MD5 72959f27b62c152b09a8377b179c0027
SHA1 bf1bef2bafa258b6d76057778de97cf5d72db305
SHA256 e4cca23048b69f42b9ea90e7e40816c0f0b149b10993ddbc1593d43e300c65e0
SHA512 08fc6b52df136e93b1a6d7719df7857174b458bda942935a5d8eef926f3a72819949f2ff9a2d500719d0320be512b72a58e76c4a16473bcd7dc1377f546af575

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 0bf74ea1d516c18142e397fc88969fb7
SHA1 034fb486f1d6e6a1b84d587c403712f369a6bb6e
SHA256 5e611f6acc961797cb17f99011b9e65507e12f821225be951ddcbf0f469dcc92
SHA512 523257c2811997983be79c617bfdc0bb9d2151c92810c1d39d28b88fafd3834d9779c5f23bdd4ca22134037c7bbe38092d5c0f701eca3d015e9b7a5883951ab4

C:\Users\Admin\AppData\Local\Temp\CgUg.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\Pictures\SubmitConvertFrom.gif.exe

MD5 954104469397bcac53efde86b8eaf5ed
SHA1 d9e4c7ec113a78f263494a90bc224e148fb17401
SHA256 e96c757d8c9c36b3047525d8e01e6d220cb3332a3a5000580da59e3941f63970
SHA512 9faa83183781604cbc23d6e36afca69c0f7ec109bb2020587abd53534f5de223f1477f6eaae31aea0025736eec552be9963af28c6219dc36dcd416f3175f5711

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 c7ad4071c78a11e1fa48df5d2eb0645f
SHA1 795f611a81ffebe3614e8487dd168cff430a5fa1
SHA256 c80ae4706b84419a424a5fc206e4cddb0a2b999574470e23f3ddf8eea36a3574
SHA512 e66d82af65dc4fcf135c7be05633fc2424ec3c4441632cff8c2aaa9e7a0fd85bb33b1d1beae3b0463bc10a3e5bf9306f9424d28f2d7dcdec611cfa587225a6e5

C:\Users\Admin\Pictures\StepRegister.jpeg.exe

MD5 d40edef85d68bf0c70726553a2163f47
SHA1 52e6e5eb584382aae084611bfd8229de996af50e
SHA256 575a85df8d73a06352012299286ef40157e3d41e1c990fead98eb48cf34d4f19
SHA512 92a6583a355cff7fde55a2730135a4991872f7c62ae0cf57160c088e3029380a8457026be71c502380ebad5c2c25326422697b7e372b49f0bc1fef2b07685c9e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 c7d9725eee56dd3b6fadb85d2abdc67c
SHA1 b04d1b6d1321fa93daef94953fe537f08fe58347
SHA256 9a466d63f7d31d4f2719dffb95c7db48e5e47887aa39ac4c31ef2976a742f17b
SHA512 94ba94a762544571893ca6ae3dd4933aeb9e91ca3a6d62b40bb6e4168c3e92b594e3d8a81da0d6d977da4ecf994143fae296b5607e9772d4c8cef79f6f9c6b3b

C:\Users\Admin\AppData\Local\Temp\UoAQ.exe

MD5 1d46f84d9eae734c6808e5293ab424f3
SHA1 22d546096a2a75cc2c3e643252ce74224209a1b0
SHA256 fc5b88f576c3f834ed4c33a064d377681182f45bf19f969b46ee3b3ed59fa0a5
SHA512 e9746013f95a5bf6058708cd13d80a75785f91a60e4d4b0d599e58b6a9c4fc1787394ea557e49c20748e6a4932cd6d62ba88748cd845095ad279951c25bbcc33

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 8010c24b6005da304a1a07959946e72f
SHA1 6e8a3d4d00cfa44a73dba62dbe2ddfdeb31edbec
SHA256 bccd4ff00fe96b9dd06316a681e6a1c6a03ab0904bdec21873ee4b5f587666a9
SHA512 3b366ceb8e2de04114429db2d94e732fc708bbba0523e40df6467b7455d3ef026a247f920a7b819a16c260113d529dab9a300d4edb60ab186e6d5dc981922478

C:\Users\Admin\Downloads\UpdateAdd.xlsm.exe

MD5 e163dd6888e0df85ee90f974e597445a
SHA1 ce389039c0a71362dcbc2ddb678cca1ebd41cde7
SHA256 eda931777587fafb9a46b0d7a2e768ce9cea2f9289b7c8e4f0656165861b14a1
SHA512 15c1d346987850fee3725cbd79d3d866631c021a6ae76fda8158c514d2d38687f902cd259a774a256b144af8617ed5ca7a9167bf4e2f87d9a44b25c91ea1e2f6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 f394ab8d3be751c598975f103584410a
SHA1 ac75083752b13dc76c70fbd155a944ab6b6d1d48
SHA256 743e2a5e18ebe818e0d99eca8f0953244f670a7b2e27981e7c8b694e36802217
SHA512 a2f6fbb9ee886ec37552495811efb6495e8559187d66259469d77256add877f53d3ab3e89f72a4e6873bccedcd139552e247192ed26bdbc8469836c6fd8b0e02

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 b95164fe980dbfdcb9d2bf33634dc33b
SHA1 1d8efd0d4e0f96cefcdd7e74569c1b043bb54adc
SHA256 93ddace383a99a8dee5f61a93c57e63731ad8057a4dc64778c6b824a03b3c872
SHA512 fae91dec8b8860a218e5d0fc86b275a4de43fd743b60347d2012dcf70977e0f7ad8535f084690f9ab79f32e62827b60e20d51a26f1b7d31b664953e8b0d0b8f7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 5fb4db8b632901b129c917fd9c403a95
SHA1 0067f01b27ec2ad48a645beb66f40d3b3912323f
SHA256 9c05526b1d8fa49492b6b3ce487b234be71137d1b3d5044032b46438353c4689
SHA512 41e7fbd19975a6d01ffc26484ddc03c9b6d79b2aef9eaf20f5c31a4e072e9db804676518be0f42ed05196cb4895c9d6a33a92f7e7caf236b22226fe4dfa3478c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 a3eda061b7cddbdf6228f88061c1c056
SHA1 9455d6cfd152b4d8b78279188cfa38fd11755f4b
SHA256 7bc9591af080062be89d35ad5290bb7e57916f9cd1716bfeac6e728cab18720d
SHA512 ae057939b78e9ce805d4cdb6b345d6e6612de5f3dc2645092f13e1c22969ea288c5a0e7f5fa8cc20238f9e549de4a7c9233c9a4505bae925b51f2feb07db1e4a

C:\Users\Admin\AppData\Local\Temp\KQIo.exe

MD5 d9174a3070a313f1981845f7c4d54dca
SHA1 0b3ea4fefcbe529639eab3c37446516cc901acb8
SHA256 f9520f23ab49ec49140fc2d5173beb21c49e26d475c77855c672fdcfb92b1d8b
SHA512 0e9856fafdc14d3f7e2360bc4089eab0d16d526bb7d3c08cc4c497795211e76b5d2e6b0ce770334209f1dba1838a43e6311d953297a2a74d9e533c06aae513e4

C:\Users\Admin\AppData\Local\Temp\KMwQ.exe

MD5 0a1681e3380481ecdf0bf80e487fbd44
SHA1 151c6fb06dfc72157d4c9c883bebc5be2dc4a5f2
SHA256 be52d1fe8292aa9596bb21932f9b099c52a660590ac1ccc3cf211b31d33c6fbb
SHA512 ed158a229a93b9e2af289433ee7282541d25d4972f98c21d1c7600f1064627ef93b47f9f5a773393e99f108bd4affeb6aae9668c4132197b84e41b4e131d221a

C:\Users\Admin\AppData\Local\Temp\yIUw.exe

MD5 ba66fc239b92f37e20e7102dd6ff835a
SHA1 1d3677141e1291f4f5aad12693b2cd183edd21d3
SHA256 1453bf1f60d01f0ebe5e5c59311d312ae1e1a189c3ce7763313c524483e021ec
SHA512 b15629e89abd0fe7315a5339caba43e732c1737909076ed0074ae0e8fec57027b09249b06eb9d1cc241fe97a396fb3d2836066d1c1b06a6d06bd97c0f3b0c334

C:\Users\Admin\AppData\Local\Temp\eMYS.exe

MD5 2d6441af33d362d020a503b47edfd8f4
SHA1 79d7b265584d3d9ea3dee6ddfa9bbeb89d341b77
SHA256 427157b251fd8bbf02becfcb79dabe6a0135b769e33269ecc988c902c68d035f
SHA512 c44b72ac0de2325b870e82cfaa6f5163ab89ec26aa7a279126ed902c30f53d967eb8fca0cde064e22e21e814838d820c63ca75f1375d09cd2feec1a888dcbcc4

C:\Users\Admin\AppData\Local\Temp\KUEk.exe

MD5 0825138d173627f0807daa3d7564c4f8
SHA1 dae1f784176ec2a98b8056375cf78432a907e0e5
SHA256 86cf80a0b92ee31eca49a7ca000a869f9abd28da72de936f461ce3404e62226b
SHA512 1fba9b6e1b623711e3e17e63bdcf40aa04e70fb1a5cd8d77ee44d50446dc94c2fa788e302096c34410ac190714b43fd7bce26a64ab695a3ecd32593a02606054

C:\Users\Admin\AppData\Local\Temp\YEAc.exe

MD5 02eeb55298f634379aebd52e47a93503
SHA1 4ea51dfb2d49a48cb90dc288bf19db92cd51aead
SHA256 1020ee3dd9041e25e7c8fb580d0eaef30c1f5d3c86bdf20bb98e07f35a264442
SHA512 749d012c55498533bcbcf8879108bbb88c8a271f9290a3814ffedb2a43c920b1105cbab938b0a487a4aba251db8a3016e77ddbfcab03c4bf040c0a3e50e55305

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 f3345f62b4f63ae091072b4a5e1c343a
SHA1 0c14bc4cc5efd9aa94f58bcd6202393fdfd2066a
SHA256 a5763fd906a159106c3f5078cc0ff0297ea443f27d495133535d8fa77e272a83
SHA512 6a25e9dfe577740077cec744dc636c45e63216b9ddd186279b4e0400044cb2f74f1337738c1267426daa9371149ec8e636a6e0c19b91f40ad621724dfe9ce9ea

C:\Users\Admin\AppData\Local\Temp\ugUs.exe

MD5 0653d0cef1aaf208473ad00f970b3b23
SHA1 9feab38b78dcad49f41fb29d9f7b3e6ef5e05b3f
SHA256 b43d3e31e358fbe0243084b5611b4ccca02bb0e25e135d8832eb5813e3b6de6d
SHA512 4eaa0883b5c8b5ea73dde90e394fd105e641d67f535ab425341e93fb0a503431e00739a920f75700ab8538dd39c10b5b4503b1101ea3e2f8a288bd10f85806d4

C:\Users\Admin\AppData\Local\Temp\cQYS.exe

MD5 a204018739f2bcf8831d97586d3cabf3
SHA1 a4148d262dd1d7c0a58951da89b4c5a941fdf203
SHA256 0ec3815b82b77a61e8cd4c4a594abbdd8af6812e855324b460c1dd2def1a44c3
SHA512 017d52cbd5ebc8629d1770acbc4cf4dc9d7c246e182698e611bdb19c49ec093c4e8d6ee58360f28ab296d12fe5b0cdef47ef0ad7ffbbe5d91c8b9c3e8b11bc9c

C:\Users\Admin\AppData\Local\Temp\WoIy.exe

MD5 cb510546147315aef3fce35590c19a4f
SHA1 7c274af4e42873cf4f71c3c90b234003d70eedf1
SHA256 ee211807a07fd59618494b0cd01d4af0291d479facd01db99f1801bc1b548131
SHA512 96d22efc1fb727ba67befbc522101d542d6232e4c7e910156581b13057e5bf0e8d827f8695d92a79db3074cd18d6c3673653ee89ed790beeac41cdb36af062c2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 4d4e78da3835420a73458ad216420c67
SHA1 d1ce4861192651779e4f067ad146b74f070dfd16
SHA256 1bce7d4779907d2c174d6f41ff3197f5000d30f6138e910c1055840dfde18d0c
SHA512 a09fc6605b151f7391606cc7be5fbb7cb8938eff22a25ab319984f3b9b2a9875a69b67249ce1224031b6fc72169c25482ef220a3e0b822c298ce8976175bdcd1

C:\Users\Admin\AppData\Local\Temp\uIEc.exe

MD5 185f7ee60603b9ea2262ae05635509c1
SHA1 fc15c8cc50f11f62f65884968d6d2facd8448dab
SHA256 5374985a05088dc3a57e8f71a3b214a55a0d55f7ca81dbfefbf08c3343a9fed7
SHA512 5d30050e0ba1538c15e006ed270bac247a033909c1f453bb356ea6a9241da8df3dca0d14f654b0f0810a6d2f62c2a22dbc9d6819aa6e0f2c3e81b3327bd7578c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 cca76d58371eb768d6c6cfa78834f68e
SHA1 72e68eb2a4bc659c38e69f398f798b5f9695a103
SHA256 0fdd6921351b60b671190b1123625a0dda72993bd60a1c106d9d4adc80490332
SHA512 675fdb8e8659aeaf2a1f5c7e493e390949411a63aa8fe4f5630f9448ee50be45143ddc47ebbc179df677df0a35f6d62aa6edd874780a3a252c14d7244f81dd13

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 fb85e4688aab8df074391daeb6aa6b5e
SHA1 2e80f2ebc61c9171c7b90986e3f7a33668e73438
SHA256 8baf5826ebd4456930e26846de026d7f45d5791f73ad4aeed7a23df4dafd06ff
SHA512 5723cbbe7312f8123ce0e07993724f0def054049df1a35bda7cc5c4a777aa817d486b20693dd6c424b86ceea56f8e0c18876e3d6d9cd8946ec9d3f87819c4e1e

C:\Users\Admin\AppData\Local\Temp\IIYo.exe

MD5 3a4b2cc8fe16630409fa9ea7bc38218d
SHA1 f563007e4f8787758630dfca7a3751e551c23dd0
SHA256 f39e845b276cdc8d3bf326cab225c11372974b0e2970d6a22e3956dca64f5512
SHA512 f913acd4ed58a60c9abce78c03b0ae8fc778d07ba6c6cf9fad41fd986459033c747b79fe70953216c6c4c301b027666a0a1232f8ac69ed289e6a858de7b8681e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 ce79d0d11a589176f6543a0c52dc43f2
SHA1 b11c68a5bee297b22b1b94eb21c157f6e818823b
SHA256 b7d17071b857e2e014cb47779ac059bf1c6a36f49293bcabb6a48e15ef40fcf9
SHA512 3a8200ef7215d7018b079db5bc63a3e6d57928a003946cfef64a3b5b41a498c246348042e0d1443f349e1445db3e626f47ffe1902b9b17ba3295d6b85a0ea74c

C:\Users\Admin\AppData\Local\Temp\esMq.exe

MD5 cb924962e197445ccbddde4742ade247
SHA1 a83e527bdd496d6b4b750164c3f0e8eadd949992
SHA256 7c2ffd27fec86c5c01906b6ca020d73600884fdde298058fc3e65bef0ccd4abe
SHA512 aa79b5fde3e4eb9a89accc8013473bc49b8ac79f30ab40c7463fd33f644deee17e464f0e53ce6d825ef0ce9adbc41de73ad55b4748e4a3ea0e11468aa2ce15de

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 f11660ea41a8e4dd59f9159ff1b3b2ae
SHA1 84c22eab4cab1f11e8ac2fd673a2591e690a4676
SHA256 237cdff6082f9f7217fba9ad74097ad229c3f5c40c6de63676bfb61218a78b3c
SHA512 1aee2b7150516ccb0beee7cb2677a2da83e52e2cc50e85160b225c6a05094eb9fa57c3e7a2daaf867fcb84f4da16d91f13cbd21473886ee14f629a89d1f3ad03

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 474a58facaf1c2ff16c791c1b547a643
SHA1 71c0216f989538ba82b4d34ab9c3c6e680e7ce81
SHA256 708f1640a7195f3c91628388379cc69a58d80313820d61182b0a81902fe51c52
SHA512 fbe3849baaef089dea8ee14303f9b54ef11a0368320fa64964e01f86db8b629d13ff95b5565a0ad004fb5a1a397ce9dd4598ae240a3901856391d81947382b1a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 e679d59cfe3b1e2d164e4db056133772
SHA1 de0cf64ec0c28af2d162e18d08c0e1b3775609bb
SHA256 78f736ce23dc6a2d6a4ea2e29d38cb176f67ab6d9c503f3ba8557f44d322ba3f
SHA512 7321d8516dc448eea1b99e291fbb94045dea9ed13256f866dfbc345369afbfb60e9b45732946f1bc55ead050c9af3ecbf0dc1bf403a46d1287b12392aca6d9ca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 1770586198a7951bb4ba903b5122b7a9
SHA1 6759129237b178c73844a54ba3163e2517c3f83e
SHA256 27d24014bf678cd72ee515ef834e4d0cec870364c392b1deb6b9b1e7699a6a75
SHA512 6e16ab50952c19763f125af83e20cd2b239535a0c949ca1a7216dac6dd1089f83c4c3a1fe8af67d5878bae4839daca54083444afc5006dab87fc7c006310ce5d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 7f438de1baef7d9db05e1f89a871a8b9
SHA1 2a3ff7295120c7e572827de1e5685123a7a3bc5f
SHA256 0d17e6a6d42f291c768c708b15860f11701f6b1dc1cce57d0c2304dd2ac25135
SHA512 56aa17f25773428722af9cb9ef738c0978f16cb1a49925e6843cdb1ec40a7f83ce530787915caa431e1c9f4b465dd75d27f255c886ea13019c91554633c14e59

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 12f29c9a3794ce8d9e2ca440b9ec356c
SHA1 efe1d08eb1bf72ece5f88fc369f6f55c9eaa8990
SHA256 28a43f29a56d7e225168cb87335d4321ee7dfdf896aa7969262fe75ef1275597
SHA512 0a7bc2c5960457ce95ab3bd2ca2884acba87de67503913735ab02651d891e03446105f0425cdd644caa8c7d88aa4849c14a9d9357484575f4853cda1d71ea64e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 28d5a859b7b90f93ab766e321ce08a25
SHA1 4b15861472356a52fdff7fc4674be36ca1a3a306
SHA256 16341323e1b4908328a3ef3b20f60bcc90381b64e901201eacb8d2d74c19e4a6
SHA512 55fd9cb0d8e9cf3ae952f5ef6066242ce558044d2521a26c06270a36345886cd0a202303859cc38e077423810a9d2c430a30c41640de4c7ec97f1089534b5a4e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 ff1721b8634407adc393283cdae616d3
SHA1 9db1d265a04f751979a2e2494836ecafb82d5d84
SHA256 50032d80eb8f2124d1a50aeb383561351191d5b51efbbf92d620d0aee59757bc
SHA512 fbdaa875f02af24588808362e714ce899006240cad96044ef4bac099ba8de2b2d25d00923a8f87300765a74de7db94b079358502b3cd603168bdb6a1147561ab

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 0c29ec88fd4d4a0b17a5e9734091abc5
SHA1 55e0765b66fdba921552a9b1b8a866b6f8ce10d8
SHA256 cc6d34dcb724a2ba874b1b08286033f93b68b362561f74ef663478c9c59ba45a
SHA512 ddf5844cd5ccf857f3a32c60e2ab0f6f9408e8699fe2a89ee61b32696955159152958ebd8340521d6be8c1e01b58105323b9dd845cd94cdf28aa9c6f3110a6da

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 6fd82b72675622c27444360fcabc2ccb
SHA1 410580da8ff0b763eacb8fdbf50f211043f573bc
SHA256 9aea28084a51f76c3b770eeac0abc041e89a985753a28a09975319d06c25a8fb
SHA512 83ba2bba75281dc89565ad426fe48501877c89ecd16ecb4bbc97738cf9594da1d7441d26cbe4c47bc04ba4b15fe1d20d74e5bc46247068c7225fe7b8df44e180

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 9c93c168a419cd4d22e86e2c11890d04
SHA1 37a3497eb44a1dd109aaaa9e01443ebc0c87211c
SHA256 45957fc4de7eb2abd9ddab99fe2c7aadb15b429afe12dd7d40ada039a7154cf1
SHA512 ebc7d64ea18b5e121739593ac317200da961944a1e376ff647b1db4d400fff715a5060b67627cb62787e8eac0a909e38db7d15bf435f5fa0e04d327ff2530b2e

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 a3ca67aa775eb495ad89cf25ea83830c
SHA1 9ddf810b962f802f9f3c8239eff6ab720f962ce0
SHA256 0301bba448212554c975ccff74e7de4a7f54574a003bf394f221305ca8c1bc46
SHA512 6de9dade26f695f61d05a27a50f74ee9b38434f60119454e70aef877eb97ddcb275eb44c2b159a52898052a0d2f6513d85651c154b42cb3f1951d813655f1fb4

C:\Users\Admin\AppData\Local\Temp\MKAU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 0ce5cec8345bb18bb26deb0a3feb5a54
SHA1 409fc689fea5c955c04a73a2801113bc01177119
SHA256 f3f01a544f270c1fe45034a3bee5b7636b226496b8c39175f4b6d7dc7386b4f4
SHA512 0596b06c50f05ab812812952087017d25b14074326fa3fa0edde622e5140a0d496cc0191d5a1c283a84ffba88d5ad09fe719a258d24a813ac3cda6faadbb8056

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 52bbf2f8429d43bccb958b525b38f827
SHA1 e9864282b21a35cc568234cbdf041e767ee97930
SHA256 30b482b37a1393b18d8c88c5e561f8198bccf1d271f69768086cd810a29c4c91
SHA512 cea8bad825e40f6f5244f471c94a730f875d9f32804b53a702477019d131db4740f3a20634b58eef111d27fc7b6a912a241323d7d964ed2c9ebf4232bff87e34

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 728fbc5996e0d3135d102b707fcb4f0a
SHA1 f3691a27a338e050632da955058b951602231889
SHA256 89a847ba32a0628865e22590ae2fa327f0c43f1060c5297f72e527cc2e2c7ed3
SHA512 8ac0b45c88a587514dbe0f401221c66d1a6a9e64f16cf0ffde20e7d9f5ac76d1852934be8bb0ad2cc9219f145f7c75f06676cb2b64f7adb08d98098d01a1fa52

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 4c0b552301e7d029e73840d38d232ebe
SHA1 4bcacc7e6c3b3d808775d9761041347ec86f1fe4
SHA256 5f6e037eb66c8a6cc135e945232163d4d1f1873f399a70d2a98c9a0f9308f8dc
SHA512 2458ebe766d56eb41fd92cd8b58a3288f134fdb3ac93736af227cb37f702b2ae7945f3ac108cf45537f3bf13f0d7fe0ddb3234eadeae141cf00caecee62762f9

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 8a51be988ebc2f4bd82354bec088b630
SHA1 0beb9b289a48b6c7ad658b44c86f4a98343039c4
SHA256 a7974bdb80db7b0cdac0da277c7e1758e0170dd66d61c406810b214dd8c63743
SHA512 12a3a4a3d884cef9bda98476ee3a0f54501f6afaabc17f7771eb927a3e9a8a2ba09b9875b841b1ecba71027488dc9d90970269f125c424222751ee01e15aa3c8

memory/2108-2285-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2516-2286-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2292-2287-0x0000000000400000-0x000000000046F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:58

Reported

2024-04-07 18:00

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (51) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geUYsgAY.exe = "C:\\Users\\Admin\\KAwUwEsA\\geUYsgAY.exe" C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIMAYIAg.exe = "C:\\ProgramData\\TWgkUogs\\mIMAYIAg.exe" C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIMAYIAg.exe = "C:\\ProgramData\\TWgkUogs\\mIMAYIAg.exe" C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geUYsgAY.exe = "C:\\Users\\Admin\\KAwUwEsA\\geUYsgAY.exe" C:\Users\Admin\KAwUwEsA\geUYsgAY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIMAYIAg.exe = "C:\\ProgramData\\TWgkUogs\\mIMAYIAg.exe" C:\ProgramData\sWAcMsUY\DyIQwswM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheOptimizeImport.wma C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSyncSearch.jpeg C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\KAwUwEsA C:\ProgramData\sWAcMsUY\DyIQwswM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\KAwUwEsA\geUYsgAY C:\ProgramData\sWAcMsUY\DyIQwswM.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheConfirmNew.wma C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheEnterCopy.rar C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A
N/A N/A C:\ProgramData\TWgkUogs\mIMAYIAg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\KAwUwEsA\geUYsgAY.exe
PID 3136 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\KAwUwEsA\geUYsgAY.exe
PID 3136 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Users\Admin\KAwUwEsA\geUYsgAY.exe
PID 3136 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\TWgkUogs\mIMAYIAg.exe
PID 3136 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\TWgkUogs\mIMAYIAg.exe
PID 3136 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\ProgramData\TWgkUogs\mIMAYIAg.exe
PID 3136 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 3204 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 3204 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\python.exe
PID 3136 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe
PID 3136 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e585bb9926affaabdf7e031ccbf8f017_JaffaCakes118.exe"

C:\Users\Admin\KAwUwEsA\geUYsgAY.exe

"C:\Users\Admin\KAwUwEsA\geUYsgAY.exe"

C:\ProgramData\TWgkUogs\mIMAYIAg.exe

"C:\ProgramData\TWgkUogs\mIMAYIAg.exe"

C:\ProgramData\sWAcMsUY\DyIQwswM.exe

C:\ProgramData\sWAcMsUY\DyIQwswM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\python.exe

C:\Users\Admin\AppData\Local\Temp\python.exe

C:\Users\Admin\AppData\Local\Temp\python.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp
US 8.8.8.8:53 206.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
DE 142.250.74.206:80 google.com tcp
DE 142.250.74.206:80 google.com tcp
US 8.8.8.8:53 google.com udp
DE 142.250.74.206:80 google.com tcp

Files

memory/3136-0-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\KAwUwEsA\geUYsgAY.exe

MD5 75dbcc9c2a89259c9281958fa8791c11
SHA1 3d9a96065339a4a26f03fb95c1035cfb026c00de
SHA256 e3db0463c448f2e832b863918dae757d1dc3448cb011d8df0c20c8c6b274f254
SHA512 3b206642b03b30b9d069589927331375ec68abbfc9b02fb4a8d9c869d8fc851eafd2afc96d53e26d35bd391d78bcd1d3305abd8f274167bfd56d5645640286dc

C:\ProgramData\TWgkUogs\mIMAYIAg.exe

MD5 33e9aa62b88c134e64584c34c90cf0ff
SHA1 203a31b482032afd7a22e7d91e94763056b0cc30
SHA256 1057d6e9803e8a6b0e609665bd78f96a659afd2d18ef05c0d2ef4787eb103966
SHA512 620e26a8a13e78dc87d130378724d2469eb1c58cad0e689cb7cfeb9f1b11c2f31be7945c0783a7f93306c733387a9d504a0dc09672460966eb529e5fb53ce828

memory/4420-8-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3788-14-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3728-17-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\sWAcMsUY\DyIQwswM.exe

MD5 47d1306e769633412462b4d55bf8bcb3
SHA1 ae413244905f16cc3214798684331ee889db0177
SHA256 8a80f12067c41662752332028f3e6e6fd22ffa10c61e02da9b4c1fa5ce627cc8
SHA512 3fa02b3db31b8b0d8d721613724d57efca239f8de83e37cc40008dc7072bc8ebc5d4eb0ff8f253ef01778cebcea833d2111e1d7423965f14f83582def7e3436c

C:\Users\Admin\AppData\Local\Temp\python.exe

MD5 116d1368a7fc6ab6b09bde40e921a44e
SHA1 77d7cc68d4b1d20f3d27d4b495396be0c5d77141
SHA256 27fd603bfbfebeb1074ac6335c6e030d086f5bff685b03f377640150a1c90fc0
SHA512 8ddea8113af547302b63c192b3c9dfc8ba2444acecff199caab31f7e0564f4b6c3b01a547207eee0b437d3e5ba9ec826a8e2763ebe8fa1e317ae29a841962192

memory/3136-25-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mcIy.exe

MD5 5ddd343a901e1bf246300a2269cd44c9
SHA1 a909ffd431d49d05034fd59eaf0a855f9a2633f2
SHA256 0a5f67dcfdb9338f7268f48603ed0b47e84d634872879de008cc454875d20069
SHA512 34d53260916d584748f7676d098f9f24dbbaee7d09fe9db9d2e5ed1f86247fc96e396a5468d3be2f40f9d711ecf40bfcc4b3e97ea84d9e06d1f1fb24bcb25655

C:\Users\Admin\AppData\Local\Temp\kMUC.exe

MD5 4799eebaeb6eab16f3b7bf1878f98bb9
SHA1 93113b69bbc62bae462010a557c1af7b5a2c9dee
SHA256 bdc6f3acafc287293dd9479a06c7bd4ba0b2a08a0d24d10173642a3b0d1affde
SHA512 e5398a5aaa7621bb1ed8f9d3b287392244c0b54db4fc104c0f7bd06ec54bdcc5190418d27f78e2585188c46ad5ed9663ec5136cdbcfd7ed8ccee66328f5ca46d

C:\Users\Admin\AppData\Local\Temp\uUEy.exe

MD5 bd3583c9afa0aabf3497107883545669
SHA1 1ae12f9fdad088f2f902f24544dc5b9a01df7204
SHA256 33f851c7e0b6b497c6c7acb65a01a82dd7505a5cbdf7facb6a18471a405f1347
SHA512 9aa420ba0ba349481e780689bcceb40f26bb3918e4bd853a0fd53b1bb827ce8dc6878daa17a17b7653796fc5b651d74b6b05b153b4e8ac1ae939cb3b5a161771

C:\Users\Admin\AppData\Local\Temp\UAky.exe

MD5 c2f3eb659584c59e15ca050009147f1f
SHA1 18a71054b6f41ca09a3ba86dcf5a3cf4d5acea19
SHA256 81afa747b8bd76444a06bcd007559f71d314760e044911731fee97a856823bbf
SHA512 182c13dceed13c1ad67a4a970ada98381e93b0d00242a43f21cb5e1b8641041a10f478129fe08ac477b5d8d9e322d00d30ad3aaec282ccb533be87aba5d1db19

C:\Users\Admin\AppData\Local\Temp\ekwY.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 c66ff5012f960b7dd36595e13b52e53c
SHA1 ea97baf069edfe08dcf5a29905f4456188b4a853
SHA256 d24fa28d1975b1f9fba9283aa59da061128c8106c93f5052d2cea3009e518621
SHA512 37057ba4fb1d14b49edc4e320c87322b60ae2f69f08bfda94a6678fea2b4df890851b177da8004efbe4e784bab873b9b2ae97987c2e4debeb24ba4d0329f6cb7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 28468054736da119f7d00eaa1bdd4101
SHA1 1c40cba6a68dd172115c8d73e33353b080aa5313
SHA256 c860de31557f49c43f478e1db57ab62bc13529847f83bf06bbd5cfe7dfad5452
SHA512 c9716f460edc8c7a5d8531de504d74aeee310d0e03c3086def0c6577533a5ef5060dc74b01501a5e10af20e6fe80ae40b578312f55dbaec6d4bd7de3102ab3e9

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 b99d3de4e6d4373f5d2e509b484e6b9f
SHA1 2902a4b51de2aac7a4e7fa0998b9cab285f5846c
SHA256 f58a5614e47fd0b7034feb21b4720f77aaa987384cf2d4add1817f7eceb0cca8
SHA512 50b2b0bf18ab74325b048cf4e43e7cfab3d254cbf896b1e5d7297a2714206bbe81024cb042f41f69c5bc370cae70d617979f6086fe72abd26f2d2a741709d149

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 85a235e8c0d97c26004d722de51511ea
SHA1 0f2c5f0be4c3e8d9c621cbdcb5f0a790e6563617
SHA256 ad38cc4a1c634c66ad3acda02f1a7d4befe724afaec199e6f313cdf04274323a
SHA512 dde4d4e4b9e7f233072d48136897add923b3cc8a4cf81e50d17095b4912fb188ec72b0ccd3057f15d6fe6b446196df552e68824851490430649dd61f04eea59d

C:\Users\Admin\AppData\Local\Temp\UckU.exe

MD5 436762cf520165034ebf99e58640785a
SHA1 7ac534f1118ce713250fd297b01008b505086a8e
SHA256 8ccc3597c33a54389858818c6dad30887b6e0353f362b101fe527159f0138555
SHA512 189112d8bd7375dcd53277111fee44475c4b6b1a64599758046bc67112640bfbaf744fa4cc6afb738c5af896eb116c98a8132fb2cfdea414e6ee88c0b7ebf066

C:\Users\Admin\AppData\Local\Temp\wcQy.exe

MD5 b7e3cb81dab1d0a196284d58992bd17b
SHA1 98c69a4ec9d9dd05a9ec7e4142c4cfaf985a8cc0
SHA256 0b1ae794f8cb4b398bce85e8e505c92193863e9dc5af373274f2eecfea1291fd
SHA512 315ce18deb988943586aa84beda23548e303c71c1450c75af452d7f65e16bf5c0b9ba8880b8ed4e5c5ffdd7c2bdeda84895c4d831b7fc1b4eb934b10cf47a999

C:\Users\Admin\AppData\Local\Temp\QksO.exe

MD5 c86eeefe4efc3c44cac94ea81c6f8dd5
SHA1 b412315d8c770338c6495678698d4fe2f2367233
SHA256 a36c504c294a07d82aa812f62c11bd325fb01e38d919623f97f8038adedbf90b
SHA512 9b66d3ea62138a652bb78fad25c0625acfe4faf560f0f0e2c6a83aa30873094288c455ba22f149b0a069b999232303147e7ca6536a85463b83d3640143f7afd8

C:\Users\Admin\AppData\Local\Temp\qooI.exe

MD5 c692742ee582db6e82ff9614097670e0
SHA1 a2977aa09051e286e4559dd9d79477af754f1304
SHA256 db695ef9dbf6a1abb7e06e1c0c8b25dc6e200fdb32bb399b87a7911828ad1865
SHA512 f34ce7241c73a79a62de105d96ac5677527f904aa1c2a6ee36817e55a258707dec4fe3ca172622b64d666d67f1dfac41f902d5b5737b6a10421c74cb28db983e

C:\Users\Admin\AppData\Local\Temp\eios.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\essw.exe

MD5 01f548849c88d3151c6e8093f3b915f6
SHA1 8f7c7742f61cbe3c6b707086d3d6bf18123ca18e
SHA256 90d7c95ee41e2ffb7c87cb5e27a69c9619238c94277c0d0402640ec18b8cdbcd
SHA512 199bea07edb3313f6eddc6dbbbc7098df798a5bfb6fd38f2d69ac5d15f9b42ceb93f8488d29ebeb37090b79d59e8b7fc21261f86d6762f0a7a8679af4d516379

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 e67830fc2393807687ca87dff3eb46cb
SHA1 dfe22b8a586030a97ddfd7b383851761ec1f50b8
SHA256 304cd2d90b70e9892b525374d92de41ad3032a4236a50fa23f33e3bc9cb92299
SHA512 4c7851626989eb9cf321b8094ed25c5ced763f05a68e19a943b24aeadf918c0bdf99db5873ff8b14a7d14936d97896df8c6bdf1fedda9d084993d156ddcd69a0

C:\Users\Admin\AppData\Local\Temp\aEcq.exe

MD5 93000f52e7ef67a8b3f1425d7ede8b8d
SHA1 8e5415f64115172732368c9c82928f66ef97d2ae
SHA256 61f39d55c2d001d18709807c04c0fb83b7858705c2ef56bd7073142589dc1b79
SHA512 b02beaf2a2be213e5d33e0cec6f419bd877b523488abb011728d9b71a95b60e67556d3b8b0793a6a8ec8595291948216b0fceae9dd7210830ac44dfdc6adbc39

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 65564c3506f28c8884a7e0c3bef1bad6
SHA1 f20418c1ab39762b33f1901a2c81862baa52a64e
SHA256 ac1e3c7c43eca7a6f5c8150b729a74a9804a2a2bd7a158526de2c13586120e3e
SHA512 af4593968628ebda1afe8772e00e4382bac163b3b495bd39399ec66633670b01d00555b47f61f710141a94d19a5a0fa3131ad535e032c60708da8fec297bfa25

C:\Users\Admin\AppData\Local\Temp\ScAe.exe

MD5 0bafb4a2dd168ac155e91216b4d4d301
SHA1 716683c19d75646e978e301cf28594e7ff9f30ff
SHA256 56b2b64b72584615572525e692ad4e53f0107370458bde75f4c0b4a8a0b730c4
SHA512 4962117022e4d6d2e37bdad672516a55a05a1bc951ce84702c2465406da5be35a11d2ce90218ea185490e9374c405a18a908e684325c90e5d7778a3b724e2913

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 31c728f3956c599c6223967959ceae15
SHA1 c68ea3bfb8b3f13f334a36a7696bb7d8a9e019d3
SHA256 925f74c2525141099a244fada7f9f2c530979dd47f957962d6abf981fc8f94df
SHA512 dce77c36c8a08bcbc8f81a106e5a6eb0287abc562844cc85f98f6249be28ced54e01d7f4461cdd80034e5bd68004debf6a04afc9c33eddfe854993c45bca4c37

C:\Users\Admin\AppData\Local\Temp\iska.exe

MD5 b46ee3277299dde3712ff39104b57df6
SHA1 e9ae519cb5c07b1f8ceeb90aad925896a743fb58
SHA256 9ff0ae1751ea4c2bbd2769291ef16afffbd8dc898c23c0c2fd1cc8fb685fab1f
SHA512 5846eeab30d393fed09a8d46348dcbeaad6b7239b8f3a4a2cbb594c6338b7943092aee9001b411aa7d017660b0d8f06bf8ef3832f27cebb88b4dddc732b383b6

C:\Users\Admin\AppData\Local\Temp\oEYC.exe

MD5 a50dcf1ab5de50179fcf4134366b7d77
SHA1 81de959c966bf73cd89b648b1ee420c7766163d0
SHA256 d5f2a13f7a01b8dd2dd7ead7042bc19b023ebe9cb2148884d87de72ba8652317
SHA512 cbfdb4ed9bed4229b9c3bbe140e8dbda81e87a914e27acac3ef7ada6f58484fc06a1724e13f9a2600a82e2e07b1ae165939f15c187ecc112f8bc5f47fc225193

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png.exe

MD5 2bc7d5d4b66e6eb0bdb3111ad01fd1a5
SHA1 d9c2eaf9ba5ea0e6beb870abe89a8b334f2a0efa
SHA256 e0ba1ccc16c5274bebcbb46316bf248b6e3376e168788840b37536453a61409a
SHA512 48447289c704438eaae81f10373753e6b5b1faea3dec3a5ae3fee08fc8b5c12d19ee39ab240c1498b5d8013c194347805d283c81a36651eca43bba26c9e970f6

C:\Users\Admin\AppData\Local\Temp\ckIa.exe

MD5 3f77548b03c202368e38a1722a45dcb1
SHA1 4cd4ea1a9407daf942c0222f0b48bd6ee44607b3
SHA256 ae94db5704029a5481239bd8706e22773c0efd32292f8ccbc74a1e1d987dc279
SHA512 d446865393a654c697a663976bb0cf71a3dc6fb0b3c1f3b5dd87ce07012e6f8e7eed95f81a00194540d11ae7105c4571735c09a97ce4ec209b733e3ade5c1f36

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 2d535b666cd89ef50b321c85631e76da
SHA1 1fe694e34700ad1383e43189ad0180e68484c20e
SHA256 96cdbdfb1030d402d30013cfe99f0c05db08fd329721eeb4a62766b1a913e193
SHA512 bd9f7b36c0b435a754a63ac26d790bf0b033e5d5ba8d3e3ca3843febf13b28c6b0ce0a8b648b757ce56f2cc7fa8dcbf02df9ef19bc052d1a4d759f91c200a503

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 828fa1d165e36d90cef34ca8acbd6477
SHA1 fbb83845867ec0f53c19d9ae8a2e0ac573e2f7b0
SHA256 26ca63cedf0bc66309ac351d61a501050c212bb106e96ac3c082b3a774261d5a
SHA512 b457908b582125e0856092d2641faa23ed82b823f8039e275bd527f91399a344b03bd242a0a12dc28815327ca8f13ea9c009a042c937d14f502c4564b0f55479

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 619bd95ebcd28bb2f8176f48b329fe11
SHA1 021ef1a3c6e621a843172d9b98b465ad1aff23fb
SHA256 375c20784a16b7a6fe2486994c90e1a82a28e65bad5a3f764997550c59598d6a
SHA512 bc5275de98894cdfa715ea1fe83095150f290be87296925c856f2fa867197aba75a31d55886f08cad58613e4e5fc4a9c5074dfef844d9fd9aedd9f6b320994ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 240d4589106be141ea0792e27be9b401
SHA1 2aa6b5c4f073c3962a0704356e95afff3d4e269a
SHA256 cbc2ecd6a59a542682196393db4665679653378d190765ea5588c40421eae524
SHA512 f987bdc708a33d9a697ede1cbd7a6033398c920ec29ac6665302004aff675ca04e9d245a7bd9b17fedadaf813d88be9df7aa108e6de156a0caab178e679bdcb8

C:\Users\Admin\AppData\Local\Temp\koAI.exe

MD5 617962bd9d511e1dac48078b09b1dfa7
SHA1 0e887ab3e6a7eab9163e7a685c415756a84a7e8d
SHA256 8041d9de0122d48ca8b99a0664d4b4436a90df573eec24ff29e20eaef48ba5a5
SHA512 5b6d62dababada4d88088e38940ce824292e14baf24f27d97dcab1a0781e7ea039504f0ed0d9118c337ab16211f08372cf5356049e7f55229c02f83eee997515

C:\Users\Admin\AppData\Local\Temp\wkIc.exe

MD5 5e30ec8dc7b21a9e4f627ebb9dcfa0cc
SHA1 a99ae9d7a11fc7721673cadd4075bdcaf13af04e
SHA256 3749005ca51512f8c89043473f10e58f61b1d20b0e3e3d6ac0a96a3e46c48a48
SHA512 ac6f7eb29dd59686f2972c0cee1cacfee53cb3df53716d7db59876ac3054da69e62061d3192f17d82533b70f0517888c6ad818e2469a5e4a430fb5bb70b20dbc

C:\Users\Admin\AppData\Local\Temp\YMkY.exe

MD5 544d75eba65c40abc18537018fce8a8c
SHA1 95bcab252a359c4c3925ec0f2d2e27aacc2ae6ee
SHA256 d36b4c77ee332c31fbfa7e9082a888e89420a785ec770fdeb3611c02a6dbc18e
SHA512 d07aefac753ea6034716a723fad71ba23828862e93f8a6cce4d1158d6dccd73f0231ee382f9e424e4860101f1d342f8d59e4647155182b49362312a4b65ecb75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 1f42be0a4419ce76b107085cd0de09d1
SHA1 962e8f6bb2dab9ee7be474d39210bd7dc24c8770
SHA256 35f3a71a31af6fe23a077f853b27b069911b5ea732f6a4f6077d18005e37ff14
SHA512 009ca98926be94d1248777a71e54aec5cf92ebd22a67ae0df80bd0b521bd075e07aa9d55565340bec1d72a05e8300cbc41c6c70cb61f06d452a4233ceabaf7bd

C:\Users\Admin\AppData\Local\Temp\YIEs.exe

MD5 fa5e9ed51dba8378c5cd8c51f7bd6a58
SHA1 cfe82f52ddbead41ade9f655cd70a0c3b386453b
SHA256 9049e73f8d3db5b4f30deec91e710de376677d04afb28c71c1c15d546a9c6083
SHA512 63c0eeac7d82335123369b42a0e437f164b9cf75cc75a976392270b1b9523e587ba4ed9e7f71ded00c667f143120e2ff36946e6fe46c389a6a3a56812d24d32e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 098e74af7cb4e58db32e8968a213859a
SHA1 1cf292b57a8400ae7b814671d2560ce7c5f15d73
SHA256 bc980cef8c1f78be8d831f00e82438c217adbf4643890a91458b97704b373f15
SHA512 b3b9e1cd172ca3f49c5c3b9b646e8f4fe40c4eb431dc1250d7fb865a58c7af0ba91d5278997f4eb0cc1916aadba39983ea6faee6d7c0cc333e60c89aa181bc84

C:\Users\Admin\AppData\Local\Temp\yYQI.exe

MD5 bca1cbf67e4942f724e96b96767ea428
SHA1 1bd1a3e6fce618b305ee2e8d096ff8502de2308a
SHA256 ad6f29c99e4ff700500f5273cfb9e6822a066a73ef241c469413b0530c8dedd5
SHA512 11907a038763a7f713479956aec7c9155a6778ffb875f6be7bb36ada027101448cec5131138e337beb58c1c8101c4d865aec337677ed39e37c57d2da6caa7f38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 ecdd4d6b4363ae006ff4af4e967fe5ec
SHA1 f2410bc38ff0f70602b50f9e321f3ae253172112
SHA256 ec42e4f771f175d4c3913a2a1d73604e5bed8a6fce3243ce83bd60e3805dc278
SHA512 464bb3f7ba108c133cf569e91b0437a2020e303936f7f2dd82b7e809d15db4cf9cb6205f8227f135a4d2c475ea47438ee2fe363570f5d9851aaf3e59b9edc3fe

C:\Users\Admin\AppData\Local\Temp\mgQq.exe

MD5 d319144bb6c5ad1471dcd5acd5664db1
SHA1 44e15eaec066fee60d7c00edd8162df9a4fff1b1
SHA256 18c13f4f1ef42b91404bdd4dfe581897cb8b3adf9aedb38bcc19df167b70d372
SHA512 d43987409a9840679d585ed9f0a889cc90725adaf74932c0bc79f04dba424666ea24d47a1499e5b56757034ad792b4203e83b9703d37a8c7759c1a795cca7aa9

C:\Users\Admin\AppData\Local\Temp\EUsW.exe

MD5 55689e779ad1ad8fc9c13e5ffd56ea18
SHA1 15be0ef4eff5565b8a30416e3f2f18f86e489922
SHA256 3c50168d7c0211bb26838ce9a10a329a48dff878039fd074af7ef02631cae1ab
SHA512 7ccb3047b735334f17b4f7cf7089982c600c3d4cd3d30ba83caa0af0e73bad83260bf24da025f110eace5c62b45066878be4ab2c9b5332532085b62a4692b366

C:\Users\Admin\AppData\Local\Temp\IMge.exe

MD5 20dc3955c93a3fd4d187b55bf4c46828
SHA1 df3d2aceabf9cccaf13271c4605e467a07ae6d1e
SHA256 206e9e041076238f874b51405a2b036dbac1467a86d92d1d55079092852914d9
SHA512 5db3e2fe466cef957bbf9d654b1fc1af6715fb0ad1e184ad8c8fe60e5dd8e46de72d7af74cfbd60f87ae16a66587c35c40ef69e00d9d89635573fda72295adba

C:\Users\Admin\AppData\Local\Temp\uEMo.exe

MD5 d5247076ee9c55ad804772d2375e2610
SHA1 c6b8e0a0e9181f91bc2eeeb5145aa76678a0dbff
SHA256 8a05d59d97478a8a6fb00f78fe23cc59155ed5d242b1f08b4818b7c556b0c788
SHA512 265fb4ab20fe4dce91ea0a22a9eb86949a0e2581cb76d9e58ed9c2c2660e8d4cd359c953c659dcaf08cc860457220d9e846bbc3c3492414251488a5c5b5db3c8

C:\Users\Admin\AppData\Local\Temp\yIAg.exe

MD5 2ca50cbe3fea8a63dce3240e89147ae5
SHA1 bfd37d4c815ecb2ce0e6c0ef9b04cd76abc02f6f
SHA256 2ee5739dd94e3f75cdb43c2c9ea18f4d3b5f53da7fcb68f50697c98677315c26
SHA512 4dd1f4a2d10e4355ef415f9a51aece3871202ee934435850183ad3a0475e25383024f9a74fe59123be441077d5d4bc9e744bfd983dd89ec7a7912b10b4899622

C:\Users\Admin\AppData\Local\Temp\mEoQ.exe

MD5 33e187b14a97eb12d723f7cf14cc69d0
SHA1 9e95f69f7bda65c6619ce1533f55fed53ee81b06
SHA256 27139138b4073c6e3cac52d5d5cc2279c8f1a75596b7e2dd7f91b2a69f03d477
SHA512 c305e83221f30e878871f23c9ca7a9edfc79c89dac734e50dfbe85aa6303b17416503154ea9426d9376ec504846c9460cbd862c1183d6a9653b520b575575210

C:\Users\Admin\AppData\Local\Temp\OIkg.exe

MD5 0f1da66b537428ddd03fc73ee156e2a0
SHA1 241ef607289dd10087fe0378c75f2b66fcb408ae
SHA256 7be88d2f974ef7365500615297e54d2a945ee368a14b5e1b320628530361383a
SHA512 64345d83e8c7582b45af2cfe88a0caf06da2612883dc080800eb2094631387a598c66208fd7be60e4ebcd62a3164c9f598204eab775a25ef3451fd1fab316ce8

C:\Users\Admin\AppData\Local\Temp\YYoi.exe

MD5 cbea54b5c3ad17fa9a52d6a9bf51d255
SHA1 906f89626f55c9d48c02416e10f9f83f564dcfb8
SHA256 504124f23bd0d0ba4b42f35a7f97abbf02aa7cbea9b9474ecb7de399e61ad896
SHA512 826581068f4f294de66e955834297f3fd49591f22c207487b6136e7b0cdfc4a506f8fee47b5c6dca3161270822919e4df38ea382a26bb97457f6d8ead64eb7d6

C:\Users\Admin\AppData\Local\Temp\mkUQ.exe

MD5 2f1337c1093a8dc7d8a7f23325a0d191
SHA1 402ddfaebe811675f06be0721b99c68a9daed4fa
SHA256 5bd986fe07392a9028c3252de7dd833d6218479cf4235a1260b20278fd98e691
SHA512 6e8faba5919817d1c0a0e9ddae056fb18966f6d5d960a2ba042ef6f6af2dfd43766bd2303eb8c85000a8420141674086a925d86e59a1f9eda2e4deff5d174a0e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 9da1f474134af233dfda01a5a2a41cef
SHA1 07aac225b976f8330fc1153b4bd72049b83c893d
SHA256 99767761a5e7e49ed60cb57c73c6ef5d948d2c6e0b7f0146fff31bdb2f84e42d
SHA512 19ebcfc0fad27da854867c57f178619be66d17e18357bfed67b56c0a1ba4682ce5a074ec227001fbcff93fca18ae8b04fa564d2d781d320c2141923137fa8b5e

C:\Users\Admin\AppData\Local\Temp\SQwq.exe

MD5 4c0a76b2384f53df7fe976c8f7c6564f
SHA1 57acd044c562b89176a99dd3ab939bcce125da5e
SHA256 1eee1ac1f6274fd7723e68647c175d3bc96d7785a13137a47adebb4ba23cdd9b
SHA512 075ac2ebc48bd6fffc5f8507a4c8c2c7e4c4e3fe787ff0f8a79ecb4be60fdd3045b17f0adbdeb4140bb1698fc153fc1a91e6720764feab254ba0f8ed5a111207

C:\Users\Admin\AppData\Local\Temp\SEQQ.exe

MD5 f0926623594982a00ba74597c489fddb
SHA1 3c66847fb36f9a8843aa120144436e9e9f72dadc
SHA256 a0ad3214e264f8883282329b1db6c2306050f0a969a05c5375d45afe1efa963a
SHA512 87f815cad053d0f3ad0afb5f9960678eb85118c62fdaa389783979b15793560ace720c2cf84ec1ef6343114402e2552be8b5affe67909281994d4048a4625f13

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 4e8e8bbab6824156355d1abdfdec8991
SHA1 74d8eb2ae22b2185d741971d86af95108452dfec
SHA256 a95215ec23a13ec2f8bce8bcc54af1a6aac97fbc88f5135a2e260f83cf16331f
SHA512 24236d41233c8e539247dfbe095403588b009a23fb79b3e78fb22193b6f19073c83d84c218d728ae27b70dfd8973e257e5e77da4fe8013e1e337b66d4aed0a70

C:\Users\Admin\AppData\Local\Temp\KEsc.exe

MD5 e3d8c436703cecd969540193046d6024
SHA1 a354940cec32d11996104649162da0fe92b3322b
SHA256 5282880b0e8337fbf084db2a8178a16f95d553bdfe0ce4f61c6ff66673136e75
SHA512 3ad3a8742d2915bbe1f0a452dd6b15effc0f06f496825285de2d784fe3eddd57ee2d1c8b0a29191d8188cfbf47cb689fc3fffba52b649f2f1d7318fa80797bf6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 484ac38e7769edc0bd48dd537557b0ea
SHA1 e6a98be0336b235b5b186c2f4287d845e2c9ca7f
SHA256 f9ae6e276983ae14eb6306d3878daa351aef077051f2ce95eda97c1440582a46
SHA512 919fa8807308b8285159b3ee43947c941d6f6d08f51212304ccbc25950d8b6e8033f393d7718fcf1aaf680ff87c31dfe33fce2a19c61650ed04f3fe176a2054f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 538f5bfaa5cd7dfd79705163f9960a23
SHA1 ebe0103248d828f304f336d2c632b1e3b1ad83dc
SHA256 01e69212c5ba443f0fcba50885e09cea1ef68e7e8c7ef9f62fad740fc33dee20
SHA512 3686d62194c81fab2114d2f689223c4c407f496b5343eb8e1708d978bef6a98a0566f2cd624e1c48aabb8b65121e1c4fd374c3ce1510efb6b4901b90ccaec3f0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 5d254ed2c3e7fb6ae75e39b05bd2955d
SHA1 74ee27a5b71a7e2537942690f7feab07414ec804
SHA256 9912aaffed5fc8a19e2cceb300b3d985ffab5254225bfbfb96905f35412a56c3
SHA512 c678dba25594dbac50f78f36c5ba53181e108bee5275975c1000ce9600b7c09887f6385d0fca3796f4f927ca3826c13d0c5822722628d1c75632a5b375bb1702

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 6577ba9721f060ef699402805739b4d9
SHA1 cfd5a89a4a2df5f2c5fb72d1558fab395a052895
SHA256 6e09d738a3a208dddfeee15b6c91a46e42360d7535441ce07b4c4aabe4283962
SHA512 f4a15ac928f38bf94a37f45fc3becdede75454e9c9df0fb0bec3626d7bb6b6193cd34bf7e11b48789aa1cb48b1cfca5cb2bc3d69de61e92c575e80526726bf46

C:\Users\Admin\AppData\Local\Temp\SEkA.exe

MD5 a63aea561efa17aee5e6e7dd5e614df8
SHA1 d15bef1da786c8224ad8adc2896b78095976ac94
SHA256 b96722f4db8c36af56a779b0a383399de083600aa900cda96434da1c530465c2
SHA512 747924b7c3379e7daaa7fb6e1d3a51037a4b06c91992abd0ced6e7faffa82bf2f9d57b3a649be72b4d6d27649958c767f0397980888bfffba78726b1d1d51f16

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 0e805c05c85e2e4f5a8d59293823161b
SHA1 01aeb9a3a6f537a3c4f18cbf34229a5a46d18d38
SHA256 4cf355d1ce5aa59004739aca9e57f91c1966fe194b8c6cff619f42063e05c2f5
SHA512 021316f21e71b00c6ee01927fa81604c7382d1071daa22da66047fd3a6f9092120c3b0d0c274b810b3b8a3e74ae5e15a1d5dca93c3626152286b51466b63ff8e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 3950752242dce77682338a53196c9e74
SHA1 00601d8a6f7b42c364ec9b843e704a99af51755b
SHA256 49072feac3ba4c69e12a1e9fb32191592937182761d1f3e8b49946edfdce448e
SHA512 b996e52a30a9c3e5069ebf1c5c7cc830ada8deb4182b0823e31755eec872fe10cf25d9d291c714ed6ab05efe51975b8a0e2dc8891ee540347a83d0c65320d5e5

C:\Users\Admin\AppData\Local\Temp\cEsy.exe

MD5 f035e634a9f158e0f8a15b92663115f0
SHA1 4de85ac244ad0ede6b94225a824dc04632105b45
SHA256 aade393f5af60014c82c638454218c1a72e9bf6f91e87c33fc018a60ca4c0f65
SHA512 60eb5257111f6c6adaad8558e021fe11a0ca9173795d5f22ad4406f8fa3651f1ab43180746f8d68cc5325963874eb6f276a5477194a5bbcbe94ab8876f372cd8

C:\Users\Admin\AppData\Local\Temp\uQgK.exe

MD5 7af805b84272ca98c55110380142e56a
SHA1 e7e18a382c8fd4846b4ff8557c31833a1b27a67c
SHA256 401e96b7d53607d9010f9c0de8f33383b5bc18370207c5d8546b1cec6d72e3db
SHA512 f32739230d21fa20ece2b0a63f586a3df3ad5b0dfc2bbf0054ccc9d440be98be3eec90dae45b6d48dfa7bc69a429c53a68b22338951d8ca93064bd6ded6f4506

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 367f83c5eecae93fe79096c174f1a8c8
SHA1 c962dcb6bed0da69677e630a6abdc72503cfa83e
SHA256 9cb2cfd0a79047e18fcbe51025c36a68e94c38e43c531703673fa120397e41d2
SHA512 a2afc854d89df4b75a795bad6966de1162ec2b64ded7b77fc8881d11a025f57d9dece924140d685ff5080e192e6cf13b3e4568354514983c466e0ba427715c6d

C:\Users\Admin\AppData\Local\Temp\iakg.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 75ba27664f00c032140e5c3a1a9df7e2
SHA1 e88a33b3ead07cdb0e6544e8694d6547db9865fe
SHA256 785ee0ccf9a33299ea732d31d4f4c0215ac7440d537d42a37e2695650c59328b
SHA512 0954d9fb6aab31a3bd3c81fc734a0fccad52b5100c1f9e22a3a06439e3e80b23736e19e1af739e366ac9a3b52329f09244af424811c91c67d5ee5beaebe02ad1

C:\Users\Admin\AppData\Local\Temp\ewAe.exe

MD5 db291e1baae25b897c79099664a8e467
SHA1 eff2e795da4bb3c57bf5f1d8712fdd37123f9825
SHA256 4a8c34ae6c82162130b52f0d700604de77fceb5c9f7ca8139227dd67a3af7e02
SHA512 66e35496dfb0aa58dd09175c828d5faf8c5ebbd34c83e974aa4d87c2ee0728e311d184290268bcbada614a8a822bc0bd9c2334be239ff64b155c10d6089a315a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 91bed1f658ee164c00c492b50196ebe1
SHA1 ad822e1cba3ff10a79be5ff7a49f08f189a58bda
SHA256 05585080a05141e7e5ae82d4a7ec7be6c787dc15bbf44cfe29e0821a2ebc237a
SHA512 3fa5300b2d67c056641755557268c6da03ad54e543ea1016b5948d084c8810a0319267fc2ffd8a6095fd6aeff97d5b6bba2e558bb5e75f440c38f4b5c898b710

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 568d257bb8bf9e64e910097f978a94d2
SHA1 85bfbb3fb14dd9b44168c2990120078de33509e5
SHA256 137c5ed0006e39a63c75a7ae5ea9d58a92c5afb011797d80187c85bd0084ed9d
SHA512 9381728a993f017ce5d1ac07b12b7255b2e68202194cb465a98d600fc02f89ce499f7f90ef0b65c9fd2dda1588e02e8e60e5d3806771e65be87f0974fc3d11cb

C:\Users\Admin\AppData\Local\Temp\QUYy.exe

MD5 005746373601269720ad0d5240a97523
SHA1 aa02fcab9dc731e063fa0881cde27004e1d053b0
SHA256 4929862299ae10575bbe59751c12307d5a303a812c88d1dc13357ff82c806d0e
SHA512 374f5bb605322836e908ea8881c6e0bb57cc91da801a3af90e0d4d515ea797fbb68bb821bc2e825d72e1d50262ed72d4781fd84f0d0f80df1340a31adef4089d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 25e39f1cf0ca714f2c98fba820e99f67
SHA1 32cad9fb9840079ee2b3e0fd297295c7b8c0338e
SHA256 8e1ec67230a42c83433e897f7af0b5af0f008f50afcf89c0fef60cf081b5ed24
SHA512 643bed3bc9bfa015d1ac7614df2aa974c3134a83bc44abf7116f07111178b772564579c3835408443a4f3d0b146e238c472fa0b19795304eba692457848451f1

C:\Users\Admin\AppData\Local\Temp\oQQE.exe

MD5 7d76e508153f353fe34f659eabd9a977
SHA1 9ef2ab18fb7bf883b5dc8db47879387dc0be5115
SHA256 7819b4a6e6f7a4656a0b2cf9e6944037314d70cdc28282eca8c63317a278ccd3
SHA512 d104366355d603360ab0329c46b7d95b3b721161f499685def12e5aafbbb2fb0a2e9032b3e9571c8f46aca6b0d70f703fe4797116c3052faee46b7c6af5b7732

C:\Users\Admin\AppData\Roaming\LockSubmit.gif.exe

MD5 160d43f93e2c1d4cbc02f3c555212dad
SHA1 3602f987637a68b7ec37fc3ec7aea4afcc0a8d69
SHA256 45e54e2fabc66d9d728fcaa302c95e0714780854690854ed22d609741803de74
SHA512 6371ba19452bdf5006145373a1670c4dd88e95f8473ea69fa3e91f3a19e1903aeaf7c8554630f3b24ce14730654f7bb72c8b54da604e30d5f17c168c1a1dfdef

C:\Users\Admin\AppData\Roaming\StepOptimize.xlsm.exe

MD5 c1355478f3b1db904421f4d89828a5e4
SHA1 347b29a18838ac39c77441f8fd4de1b696ee3ed0
SHA256 dbdd33b03c6f16a810d1183e77e3c2295699f2a9a157c4bd7fbb70c1238b6033
SHA512 9fa5e0cf3850477dfb8ffbfb5c5ae814a5bce261ba495b7e2b466a4cfc162c1f1e348d26645141dbc948b86da00ede59655b42532b3478b372315b02753f8906

C:\Users\Admin\AppData\Roaming\StopWatch.ppt.exe

MD5 037e613c0dbe08e2d8b4ae1e5fe4875a
SHA1 04055eb6e325b764956d6a9045a0966f14073dd8
SHA256 7aa3a404dad0c1ebb7189e14e2502a84337ab3658375641855d9bf298dcbdacf
SHA512 4b146c74855eabeded83f6d52039e2e05022e8797d93e6ea65a42721a6446f0a231e5403861849a17f4be4affee7daf4508faa0c93ea6817654b3eeaaf1eb904

C:\Users\Admin\AppData\Local\Temp\aYQS.exe

MD5 4cd39b564ab6c6ab9cf69cfd8df42e7a
SHA1 35bdefe644ceab3f836bbfaed0965a79630f8600
SHA256 14b85466013331f88b2d88050af7d5801dd6f2037bd87bb143479b47fc9a7522
SHA512 7e5825c4533036493e4693963c1d17e8c09cc165d21211552d88a9e4449cd9ac26c77ba1019f728f2cff3ddd3be0a984954aa7377d9ffd7c2a8f1195f94e573f

C:\Users\Admin\AppData\Local\Temp\eMIU.exe

MD5 02c7dd4f9756c75781eb43afbba0cbe4
SHA1 8aa7c4997ccbebe78396e5513e2820b2818c736c
SHA256 bbda1868148a89e4c3b716600090119a8b580f150525332d2ebc530b36950101
SHA512 97f7539c1311954849fb56ef74b2d3b2354e21be93816279f5a1051e03893a02a07389d93afd42b4fbc64303138396eff16c77428ece5ec24c23b0c4f9ca6691

memory/4420-983-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3788-984-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3728-986-0x0000000000400000-0x000000000046F000-memory.dmp