Malware Analysis Report

2025-08-11 01:47

Sample ID 241005-x9jpbszgjn
Target 2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock
SHA256 079179f9b886170345ae894a4bccf73b643ed9c910a331737f68c02981015f94
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

079179f9b886170345ae894a4bccf73b643ed9c910a331737f68c02981015f94

Threat Level: Known bad

The file 2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (89) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:33

Reported

2024-10-05 19:35

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (89) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\MygAUokQ\YmwgUEsw.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YmwgUEsw.exe = "C:\\Users\\Admin\\MygAUokQ\\YmwgUEsw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oUEoocgc.exe = "C:\\ProgramData\\dCooIcsY\\oUEoocgc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YmwgUEsw.exe = "C:\\Users\\Admin\\MygAUokQ\\YmwgUEsw.exe" C:\Users\Admin\MygAUokQ\YmwgUEsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oUEoocgc.exe = "C:\\ProgramData\\dCooIcsY\\oUEoocgc.exe" C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\MygAUokQ\YmwgUEsw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A
N/A N/A C:\ProgramData\dCooIcsY\oUEoocgc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\MygAUokQ\YmwgUEsw.exe
PID 3708 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\MygAUokQ\YmwgUEsw.exe
PID 3708 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\MygAUokQ\YmwgUEsw.exe
PID 3708 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\dCooIcsY\oUEoocgc.exe
PID 3708 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\dCooIcsY\oUEoocgc.exe
PID 3708 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\dCooIcsY\oUEoocgc.exe
PID 3708 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3708 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 4900 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe"

C:\Users\Admin\MygAUokQ\YmwgUEsw.exe

"C:\Users\Admin\MygAUokQ\YmwgUEsw.exe"

C:\ProgramData\dCooIcsY\oUEoocgc.exe

"C:\ProgramData\dCooIcsY\oUEoocgc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.187.206:80 google.com tcp
GB 142.250.187.206:80 google.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3708-0-0x0000000000400000-0x000000000069A000-memory.dmp

C:\Users\Admin\MygAUokQ\YmwgUEsw.exe

MD5 a6ac9ea7de276badfc6aa4a0521c1758
SHA1 0469da7e1e3c0151ea0ca164e6bb41b334a2dfea
SHA256 a04328cd52f8d46ac27c4f519117b5974e82c322731b6d3e046da6a48b440a58
SHA512 00f4ca96cd5589f2ffeee34f40948f929cf1d6f36e43b4ed5292bcfa5c7f9a68f19aac9ddebf51e6d7cffd7f2d1634e0686c78b5cdd1230ff83f189bb4c21507

memory/1040-9-0x0000000000400000-0x0000000000424000-memory.dmp

C:\ProgramData\dCooIcsY\oUEoocgc.exe

MD5 98b02c2f4ad72c63cd6cd173fb45bcd9
SHA1 c8089836e4ac2ae48ae2535fdf0157bc0ae1c0df
SHA256 20331a4c0b3d68f5850ea10eebe52bd863a30a0944296a2dd589bd6ea2d0fb84
SHA512 6cf6ab3099ec0ad7d076bdd89e877968546a5ee070bbd7319cfa49feb50ce7b8943d84e78c97b3cd14f07247dabf405d9f41f94a42f4822c42a9fd82b010608c

memory/4044-14-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

MD5 d998782cbfcffe2b57945e303f02f176
SHA1 bba0fefa7823b0951f33b79708b23a47ab4f2315
SHA256 8b29c9349e7a814e30cce1cfb788f5a21740c798268b0a45ab805195faad9105
SHA512 4562723ca09057817ce66eb5596de858ec3a674e3b3b6a644b52d6ab1e5d4f8650423356853ed68a375e328c4a97b5f33b8639b31b32d8d58075fae7fa37734c

memory/3708-20-0x0000000000400000-0x000000000069A000-memory.dmp

memory/1332-21-0x000001BF52C50000-0x000001BF52ECA000-memory.dmp

memory/1332-22-0x000001BF54C10000-0x000001BF54CC2000-memory.dmp

memory/1332-43-0x000001BF6DAD0000-0x000001BF6DB46000-memory.dmp

memory/1332-44-0x000001BF6DA50000-0x000001BF6DA72000-memory.dmp

memory/1332-46-0x000001BF6DAB0000-0x000001BF6DACE000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 a0f8bece4bfc5249e989d08fcae0acc3
SHA1 0954665be5cfacee2731ce1f83fbf1e717fee5ba
SHA256 329601da2b21ad8cb374ee214fb94e7ca83c6ad023da7451d70580033b2b76d2
SHA512 fc2b0ed19b276d49dabe7929555d2b0d541a47cc43636988f18dba92c978cf3f372cce9641cc90af6ec636086024b57e7d9b1b4f82de7a66e70eee1b13d427df

C:\Users\Admin\AppData\Local\Temp\ugYU.exe

MD5 06cfecda2e9de9c235cc226970dd82e7
SHA1 745731e543cc45e35f11b7bfaf981a52e3270c23
SHA256 88488d53ecc6df6c540574afcc292d2c9fcb002cfa863c96be9b34f34125d022
SHA512 64c3f5b55863b8e6d67ee83affa639cdbc45d4c035bbecfe42c844f994a8dbab00bc0004df6864278b60f460e079288f5605804b5921d60e7ebf571cc3614f87

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 2e21792402decb9695cc3f59766f8aab
SHA1 1fcf31da3399fc607fda59d6b44a17f7698dcfa1
SHA256 c8d4075fa1afc1d2f0e6a49795e3875946eb3b72f8f5a794923913719d8cdec5
SHA512 e11dbb196ee2c74f16494cf4d20715d7826dba23b05105b4f83c5942ceb00e5eaf6b54e27e350142cdba291221378c5ec93b6cf49715f58dc266bc87b7059f6b

C:\Users\Admin\AppData\Local\Temp\OYAS.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 78df621c11a971c4471fee2e66800976
SHA1 43a9f256fc1a64af430e2d9c17677647179eaaf0
SHA256 5a045363582d0e9ce64ed8e217a732451c422f654716b821491c7b3b8242376d
SHA512 3bee3151683e62e86b219eae31a4a8b961c2484d207e53ffd210febc65c244d323e02b414d39b83d0044c97558d8544ff05c7657b7412e327ac4aa1958282fc8

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 bc395df7103853716675c359ca0ed57d
SHA1 24813528abb4519ad383a53e478a045e3f43bec9
SHA256 3277910fb41c160d78b3c869957dbf707f8a6c2f7da486e4acc4b499ecf6ab5d
SHA512 fc7988e9638eaaaea70ea1ae38536e500dc2ee88f65268848a2298734fc1cc85b013937414c6c79e358ad796ea05ff87dc1754318e797297d3a2acaaf42652ec

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 4a63ce3f56903cd60bfb1ed19bc1b1cf
SHA1 853dcf6be07e936f582cd495bb2a08c51a4c7eb3
SHA256 e77ea2fff3061e83f0fb618b8e9b7eb40bdd49f823b88caafdee47aaf6f70f3b
SHA512 3b2ef7e9b80e72c70c6c06825616c7c1d043ac6b70b435e605448008f09272803c40bda1ad1cd165a4a24eda61786c4be94b90d6aaefff43cd2b91619c8811a1

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 ece4cd0fc024b4b0c46129ccd435aaa7
SHA1 3ce36382ae945abd43abad2c79f11b00f8fbb5b5
SHA256 180955938f5280ae4c9e9acc9d38da003a0239d164793cd284ea386e7c4c5ea2
SHA512 aabf478485ae7ee29262c5d2761ecd78559ce7ae3cfd54327d362c614420bc304c405c226e1bcd55415fbf5ca00757086c9cf365d1535ff5b6c128451679318d

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 7264deb410bf2c66cd3271f65067b0a3
SHA1 d8383c484cfb4a13b0b592f53c7ca8d24fcb4803
SHA256 88629864f3e3105ac98c021665982bbddcb25a6b5e527b83973b377267b938e3
SHA512 d3c49e3f46dde605dfb0ae09753e39a79c27666d79b6303f58642ade10a6cf09d3778a2a363a26d0bd8bba23aca4cde8831186b4b84e6ebd89dc76c89f7d63d2

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 3640f86a4c61d713de60841531137b8c
SHA1 f964e19be921466d57ce4e4b0c6d470ea7b60b4e
SHA256 57a7d19f5cf6eac34adf6121dfd264eac521277f15c5fb1adc5a51bbf452db18
SHA512 9f3a3696d4dc37650a716648b799f5017d627ab8fd6842d6a6f37d5ad161877e848dddacb374df4c513c831578a28ce935c028e5115658be0ebeb8b20e4cc365

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 14ac496ab365a77db232f7cc05398bdc
SHA1 78dd9f59290f35f6bbdb3907de29a965bcd3a926
SHA256 82e2fb20d92ee5abd3fe05a11947cb9ab6fce89ac110eb2639bbc7e1e750a051
SHA512 1695c154f0884972d9b34267db7a0556686119794050f5ef0076dc4da1497c30c10dc81cb305abc62e092b6f962f1cc678fa32bc715bfc62cd9f28e82b9d1974

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 bf9e9875a1ac78392d5fff468379e668
SHA1 9a7f42e3a1f74d1f779ddfbe56f6eb2e22b5d008
SHA256 307050b35e4b800129acb126820f64a7e1634b9393c14eae597fdb5e1ba5e8df
SHA512 28e464bda4dc407e32c5cfa77b4bd783a2efaae95e26e9b389497a9d8b3634b8823458ad24f19ba2a544ce5ab30e132a96a1f9b23297b15e99e2045ef7b42e9f

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 cbea068afa57421be0d1225c4b77cd4e
SHA1 4e11ac918c88f91c5998923f366eb52bd751e0f2
SHA256 2313e3793ed40583489a9305a9f34aeb8cedeebdcfa8d05f10e9f35f86cf514d
SHA512 be5004e8ceec8e260dac1f7b569a113cd715957cf7756a75e10af2563231ba7b0c2e8671ce38857a370edc66c4902b7eb605772f8f3034e2d4038dac075a2b41

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 fe3c178020b6d2308d8e0f3ff9b3d7b9
SHA1 7e5a938a3a4ea8f9e64ce3d9440ffbea21b8074a
SHA256 cf038ea9d821b3e2b2ef47d9a9ecbd8f991674adf3de6c149c242c5876a533cb
SHA512 8cb44ccf42b663e8a1b1c17a74166e949f48746e0d3a413dacd3bb3054eca0f0a20bd8bbda498ce4d4e16c2000409bc962076d2f6967ab3f07c4daed86726638

C:\Users\Admin\AppData\Local\Temp\Ugwk.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 3532e3996c4bc458fb955ea313539c6c
SHA1 87e5a427ebc07dc88e475b2d5197976527c712e4
SHA256 13b88223d8a5f0fab258f8918e5cace4e82ac52b00b8fb2dda9f00e9a43614ec
SHA512 70efab9c3ba9df73db5fc655227ae91a591af25d5390227f223fca271866ea25052616429fe0cb04e0a9e599034e4f581fb12a5d993259f32226c90b7e724dfc

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 4feb74bfb886218a8e4b924dacf7b7a4
SHA1 dcf6d1773d2fa73b2fac6a5f8f18d7ca94593ba3
SHA256 9d219e974eda1832e8481e34cb3dab770ecee9b0c48697176b3ac37ad5ea25fa
SHA512 2375f88be7ccc4b7042ea0446d331e78ccc5020b99a14ea47cfe733e4a9090c34c8e8a3c4dab05ea9704a7a38d80469ed8879be8272a2ff8817e5a8c96546ca2

C:\Users\Admin\AppData\Local\Temp\EIUM.exe

MD5 d2dfe0326d0bf39e0b1a8c93ea562401
SHA1 b9da0fa82a552d23fe646a6841e2585217fafa91
SHA256 eb371722cf3125749e6cbffb0fc2f99a9dfab19638b68c8087ca154bb0a17df4
SHA512 31bcc96f716589259dc60cf439a8b4e96789fedc3691d3148fa2f8e399b1f23196b83f2f6bfa05a22bd2a1270ad5ba7c6d892e28b9560d71bfb3a95c4676ef21

C:\Users\Admin\AppData\Local\Temp\ccwm.exe

MD5 4fae7ef3bad9e969a1fd1f4023a75940
SHA1 98a16e4e2135fe0ea7869c9314e07d70037a8d59
SHA256 edc63ab30c8273e832005fdefb27eef373457b50bdd36fe7aeb9b9dd53da841d
SHA512 08f84660fbe86e1225c56b3b3a79e574b5ee98588dc541b23e58e44ac19c4439e5738830769392230bc240bc53059cde28dc471871293d6777075bb0a682883c

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 1ce386bc8ae54728cdfd2d4c296854bb
SHA1 eaa0b164f248bbbae71e53e47865f81cb516b8f1
SHA256 19375cd6ef9e82f47a766eaae85d4c7d715d4c8fa030cbeb7cbd459137817fbb
SHA512 0d9a15d46e0ce9f629968d62f6162e6b2ea436a83f94754bbbe76b85f5fd9527062bc47fb4ba8b62895d7f456c64056dba61ef4285253997a6cf67c3bf064087

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 1313bff872a54caf44419168bd25a867
SHA1 765c631d619e7004c676c697d538740403f8102b
SHA256 34939abf21bf122ebb13fdd731a9b0872ad7694891d1121c5a8fa4c763e2a5b9
SHA512 76fd300dfd91f6571581fd00ae8ddd019a16d9e4f144e9194c3a1d6a01ba3f1eb7ac3cec0e7f52307558947f0cd6e44b4c3997ca5647141ec61af5034b47bda0

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 686fc03df34a6519d176c08c1cc56034
SHA1 921f127ed248a8bbca0a57e868727e3593c7939f
SHA256 d00d6c26255eca707bdfbebda45c7e0ef8f761313b44eeb34a8019012d8a9144
SHA512 a8d550c120d92fd91bfdf517bbe1a571d69c222d50946b6611303df034d708dbc41470cd50b416dce50f02bb2e0bd49bd1f7b29931c298dd798ae82a5dd43fed

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 3ec4f3a5d0c3431c7b478cc144a758a9
SHA1 5e95633747c437127f0a2114809e642942d24a6f
SHA256 e169464aca5d5f0587c3804604e6bc97854c30306db5be376a1971c89c2d6d36
SHA512 a48e5c87052327c8457afe53ee02b0a17b6330385ee33bc647ca241132a9a85ea0e45aa4ead3fe9369a6712ba214c085e0e5d77fa9b3c70c07704c9bc324be75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\128.png.exe

MD5 9e6fdea960ff317d447f826929a8a7a0
SHA1 c35681a555daf80b87ad71ebe2f6b34e3023324c
SHA256 c3169b4fba9872dfb4be0a56d6bc05dfa986a79e3a8dbc1c0845758b43161171
SHA512 eca3d98e959e53efa297c4333dc00f7688112b20fff98eaa865a8c63bb4285966dc9cc9dbda4435181b0bd12d9411b1ca8c2bed6b1dd344cfd44a297694e9b3f

C:\Users\Admin\AppData\Local\Temp\ikUU.exe

MD5 77257cde9f8a77b7a8aa334d89e0d00e
SHA1 687bc4bb9bdf26ffe2bbebbe6b8445b76bd5cb43
SHA256 2162a82f9185da8982d310da1070d3d75fe67d0fea56bd3a58bbebb94906061b
SHA512 a45e5fa3179046b4518cf155e06aebc2b9384f699f33c391bd611a7104b6017a73f26ed474aee4f1dc6b0d3103da4803791f9075eea8c43d74f3dee886abe567

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

MD5 0183e797de674024a26a77308297e69c
SHA1 04efb22a404dd64bf3897a23128af5626f281f64
SHA256 afd887c6f620e9240de3a5ec807f0a0e363fa323449ef55f32748da7781006d5
SHA512 5907c82fe5ed612ca9696407081a34f1076a6d6836fd0c1fc3c8b8947fd09b0a8faf895c9ec7a3c191c496d065c17d2d601bfba34724e80add90668ef1169ef6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 f0bfc917cb8d2b85a0e385cb3aa0c6e2
SHA1 2b4f1953d78c2160ad9c1dcb95c82d7fb8a71c4f
SHA256 bb986d34f3178c57a9e48a1787ca84aebd6f2ea6e9f7b75f00f7245c6093ed01
SHA512 b43c13842be796b7cdd59afbf48994af9d49bed882dc381d537e854e00c1a21b29ac531ce4bc09ecdf1137a847eb2a067301c8216e740b8443bd01f35adbc60f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 3ae99e419a8e7bea7effdfb63f79ecd8
SHA1 34ef8574f8b4c004b5b8bcb207833f563be9ceb9
SHA256 9a39d15c8424791e9a79f2fdf7f5df9f1191e16a330586bd3b3516fc9fd5d5fa
SHA512 3593edafc3a29a721bd975f1e7681ccdafa7d4437a58d10dfbe726a12fe3853ef96fdb5fa0b4e0b8da43ab5f5d9db6926453ff160008eb89a00ddfb873731844

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 7224b22df79ded5e74d80369c6de4f98
SHA1 27cf9ee1d88a87b3b030bc47ad4171e174961033
SHA256 5a9da7fbf0ac85c63ff21994bad7c962be13ee52e3e82a501c72bc78c8b32302
SHA512 a0dcc089f86fa83ad379292277f979e29eba04e7658a883c11143a9447d359411ff970296664ce6565bdad5fd2b9a1ed0925006e272c9ea9a3f1e615a72700a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 fa4ea3483fc3c920aa875b64714f0c2b
SHA1 20aaeb9e41b914e4da085d89b091c8968bde1549
SHA256 9b1484b453ac4a67f41ff61b18c0adf6ddf4f76d5beb6e21b8f1558d9e300588
SHA512 07828a06062572c01692b539587955abab7cbc28ae1c77a0b87320d8ed118ab7a0ffadefe0c4c9d0224bd769e223feb076e1bbf8ba9a897df67605b577df3a8a

C:\Users\Admin\AppData\Local\Temp\kQMI.exe

MD5 bbd8c4759e6d83d88372a8ce6649a231
SHA1 b35c50567f535548e823e7d5b0638ae2faeb77ee
SHA256 8e37a156d64c7be5e2943330c76afa6edd3352157da6cf8dd32766e46edad5b6
SHA512 605992b201934b0aa4f9ffc9656fe8310691d2e19bb64c5661ef71b1c297caad690f93b3ae09284129e0346b089e87b935ff2a995f5b2f3fbebbc4c5cd26acbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 396697d2ce6a17a8e2486806940921e9
SHA1 0d8c77b23cc022856db9880f95d0dd48daf3ab11
SHA256 e94798e6c9072d92e41889a9c3bee9d7197eca85a4cf3bbea6a67ecabb2a2be3
SHA512 406d26a1539bd0877ccee72f6b08d03c3a6682c920a4694ef1486063c5a209d30e374a8d7896615de7101cd542272a0ac4dd096a92252357aa01eb0884c3a78d

C:\Users\Admin\AppData\Local\Temp\ecUK.exe

MD5 f33632cd95ffbaba945771291fa62f0b
SHA1 3f478e14a82678681a567b69ea11794887c4c232
SHA256 49e423639bc427dc90bba1d7758ff3ce95b8ff37f7f8688ee75be26206f7abac
SHA512 223d62e91bc782fff2147e8876c534232a039540a0cda8590ecd9f15a32d03531917b6ae4f91875e31f52c470fd94b7779d4a1a3add41ba73767eb553051f033

C:\Users\Admin\AppData\Local\Temp\qgcI.exe

MD5 b483eb8b1a005bad876a5b5e9195e3d3
SHA1 a671c909f182416c7994ad3523fef96ed13e8658
SHA256 559360e06dbade0721843f91b963c5b4c2b61553dc90e4ab1f03848585a728b7
SHA512 aeb73fb0c95f414766e9af44f218bd64f854549b80228f2b606389565ff57511c1a507c3fbe92d18a15052ed502e8a52e870c71c0348c3ff1d47fe808f3ddd64

C:\Users\Admin\AppData\Local\Temp\GsUM.exe

MD5 fe8fdaf42edcb37123595971f39ed21f
SHA1 08069508c8caf56e89edae2fcdf568ae656f0443
SHA256 a74fd6ffe350984ac7dfc84aa3515ab3a738db914972af76af5deedf073fa602
SHA512 5cd21ecf3ac41f140c279429b954b398eb45771ff1de2656df19c893063779212d24e8730eb91948a23b5260457a957f787d5125092789a8301cf68ea6571a1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 74f69f59a95aa00ddaa8a26caabc5649
SHA1 2b99c6560bd7d3e1a4a121a42577c889e173f895
SHA256 7d7f301bb7e677c8f23b86af02c3800c993e01e0417feb4c835ff068ea03729c
SHA512 53c31186503ef81e3de9c0bef62ff8bc66437e1042a4312c9e520f08810b17d469cee3548d16eb87b1f5733e3d1b1be707ebdad37908e71c32cae7db62742c90

C:\Users\Admin\AppData\Local\Temp\yUIs.exe

MD5 d528a396734d5b2256fa9d5fb39a6561
SHA1 1d8b7d673917261765afefbe247a157912f4096c
SHA256 52d068824144edbcf6d886e51fe5ae5a185429a5cbde5868cc4f50c2c1942149
SHA512 2fce4462b4b209b1a0bbae87850d19ec4e04181a1224567f0059837bb8824f34f356fe373a1755d867d85467f675d99176da957563b23eb13c6d9b704dac0383

C:\Users\Admin\AppData\Local\Temp\aEYo.exe

MD5 6453470bd65a39e3198b6e1747ae3ac0
SHA1 afab531e7b34d8d922efc492d852fa56a7cf5214
SHA256 62c54ca9e886aa2a005af25c37c6de2883d2cd18b78c4305ae93744acfc29223
SHA512 0f3ce38d02b6948f27aa3357ac45e89ed1998288372d2ae9c0d5f0cf44ad4a5b6e101aae9c8464773f92fd6e5f824ae1b79d69472ce5dba762aa1a2caaee9c9c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 a1481553af9b52f287406827adeff1c0
SHA1 0d299a6669a4025a540349ba04935f5b89a84218
SHA256 ce9ae670a18b30bc5e7d4d4f93231fed5291e66538b54f7b26897d0ab772023f
SHA512 bd82285e6a04d15d1c3d82878a8df8d983981e080cc1d411cf2605e9cc8c107688af664e1ed15d38ef8270d8e9f131655d29ccbcf75dcc0765d475d641ea34c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 64a8963cea7e3311a98ba436499a625b
SHA1 0fc59490702d4962c7d4e681d9aa796b0ac3ad27
SHA256 8d8fa9633ab4ecdcbb4ac8d518a69b493154717ea065250db5990174aa1517a7
SHA512 1f8e31f28b3f2254f7b8af41ddc0d8a16070f0cee53e6ae70872b6383d57b2e04c6ee2fe6112ef41d40e395e1bec2fbc4f48b4f4f4bce3f8e05fa90e7e49e563

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 2fd9aed54f7274052678a0c59ddfe04a
SHA1 b0e3809c2088bda618654a9343e7157e7ee3ac43
SHA256 2b00e7b0c15fe4a5fc2ac2aa4a35284a9e7ec6a3d2d6e451d6b9e1863d77e229
SHA512 0ebf5964845f959c21ef2037545331163ce9772b7b35d5cb828896ce5935f291c98a48a245b8d720373a82871cb106c996a3aae5e859a5ad0d4d404fb212ccc9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 426a806248549284286686013df0e634
SHA1 7dbfdf249ee7845efc1473e105cf08c31ab54ca2
SHA256 e1f417c47a45ef0fa44e802fdb618fe6e30e55df181e4c470fef1e3a468f9d8c
SHA512 1b61216c07f63df49460700f65867521c5e390dad26ae2755ddd1a2c233c8494ac66a94064c8af8758f342d324c4ec2a6a62fc47616f27131932851dce42bc93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 3544ebd450186bb6106f6247614bc88a
SHA1 8a33a92e1652fbabdda648c8434ac2c141f9a71d
SHA256 314ba159b411f0412ad5a2bb599fe9ad2da67d4192b22c96a509b83c81a6183b
SHA512 98672d296e8f4d4395f16afd1e0e48d4e74b0efdd15493cca10c28616b9c21aebc6c760cea6c4e38fe77b135c8b9f67669b6d23140b774d749d2e66a5c26d6f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 023f104426bf9bac4b6829c62a27db67
SHA1 588ac8a65e749a1883ff5e3fea2c79442db6d624
SHA256 9ccc13934bd528f618e2e888ae9f85671c693fbb086f7cbb741cf0e57758f1e7
SHA512 6bdbb0ed0c477c72a9d4f21a6617996edef6ebe8af2c1d8d8d39855034d347e4e1e7cbf3f28e45defc5794f734bbdfa19c25fed6aeccf0743c1a140c7507f733

C:\Users\Admin\AppData\Local\Temp\iQIa.exe

MD5 dad51a3549f352682d49dbffb823d7a6
SHA1 8f074335ab3a1124845d6a3b809c6c8a15519247
SHA256 ee3138ff34231e36bde7a1ae18dc26701c7799bbc0a6b319b13e9fc6a9536d03
SHA512 6d96091c5eedc2c495eaa771929789286dde77a153fa86bd9f93a4f57278c41a8a1e4192e5d26e31b859a08293fd3eb6a397ad076be300ec2b2eb3c6956c0665

C:\Users\Admin\AppData\Local\Temp\wcku.exe

MD5 c393a7c37508018bc2a4d3dbf2937824
SHA1 9e92bbfcdbe43953353a31e312bdc4cf94a4a336
SHA256 44700d11d8e87da395470af91bdd05f96acc8fec4d7e8951f256828049a80634
SHA512 2f736775a0f2a62f785f22b9752fdd0f56350f5a2639061f8060e6edf5595b1e0e2e03aad4ec7b6542ea6db50c860fc065fb9ad61871a837414faf789ae3a507

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 db1d6a8c352cf2dc46de0816391c728b
SHA1 8d4b16208b519828fcde0bf4280abfea8fcf460a
SHA256 f94c92faf62790e9cf3cbc36f534acd6e30e45159f21ac3a09eb7cc8ad13bc50
SHA512 84b17e929742c1ddb65cfe0ec54995294e74913a55d2e58e73e97a88892d6c9d26ea94a6ecdfac814db144a65da7eeb530325c84cf1aa94d4915fac316556824

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 db6edd8badf7d6626b9a42f37bfebdcf
SHA1 13f269dec7b8a70c54b86f4efa751e9203508d29
SHA256 6545ca0d167fe739b428f76a001c9b71e20509a3373dc4b4858c2bc9c42f6017
SHA512 8ca04e4993d156ae4ae1aeba9347cd73dc2f8da2eef8e72bc23cf02527834d0808b3cb974aeafe3ecc9ecca423439ab2dcd19b5a932f56af117bd144c77ffd68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 9f6a15b96fa9eae7a3bd989159a996e0
SHA1 f76ceb8cb95bca0f9594d4b23abeb6847ffd50e3
SHA256 7e1de1d0be47eae1ecd5c2ec71fbb4b7efdcd5be90233a7b026af013b42ee663
SHA512 a84f0ea7621596da71f52505c73c81b303afb8d96cc0a1353b31a6e3c788b6bf0d50fd98b7da0d0d674eceef1c2d9cfd5baab39930fb34e49c15093b97d6f087

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 c5f29403d97a597298cd5b120e5cb4c9
SHA1 faf5ab957e634cd77620c5d857178babe37c34d0
SHA256 42686e59abdd91d6d15b11f45acfb0c7f825938e755f383d9d280dcea2cc8fcf
SHA512 40819eb56011c89c9bbee1bb691cce96a6be7d797233096c2c8512c67554838672824e7ca3842199246e03f8cb9fb660e00ebc6066568343f152016d55b071df

C:\Users\Admin\AppData\Local\Temp\UMMw.exe

MD5 e1e445a52c9d0736067254873a3199c7
SHA1 276ed016d95951d64df5491f4994f225033d926a
SHA256 b774783fe3f105a8691f8a17ae51089142c0fbd85f8134b78e095980ee300202
SHA512 5537b5634439bfdbaac93b83a64985319120171fe2ac481a19fe6791aa94741e9841386be78f4e1f409d4f14d69a961149012ec29eaf030b1c571fc438f1578b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 a51bbeb963a228632197ab8272eff545
SHA1 96c324d08175d80c401d64eca805ece4f4dd97e2
SHA256 05273d87affec851a31dd04e32fc0ecfb2e5e0f30e853869c438d357cdc0ec66
SHA512 0c651c4e216e36c94e4bc3c3c3490246a7cf388885d53f0286056d6f5869294b615171727c945421d9b6ae33e2a1c8c0f82d27dbbbc9a75e748d11c1935abded

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 db566831a06d81b80d239edb6b0daa54
SHA1 3b839459475cadcd757f5994cc286af3d021f627
SHA256 80c6237495ba1291c52a803cb7f40f4a63d1c245476445a1c876f1f30f31fcd4
SHA512 2160cd67e52666b49825830354ef7d91859e534cf7cbafd5309be55e2a29bce80587560b945e81cafd76f96b8dde95efb4a69fb569e7a37971852faf2e88dfe5

C:\Users\Admin\AppData\Local\Temp\eEgG.exe

MD5 7b76404122f328509d4242d0f75057e1
SHA1 0332fc2314374649c4c8e6f07f281224cf7f761d
SHA256 194b595ab245407495bffeede27d1da1b6bb9ab14875abb791855f1b222df49c
SHA512 1dacff951d50900ea7a07b467e1fc11ad661977cffa2a8fa695b2cbcafac261651da51f0cb960c6d81e4865ea56ca57b8824f91600180115bfab148b4db37bb6

C:\Users\Admin\AppData\Local\Temp\iMYu.exe

MD5 e1534d7fbb0412a3bbcc4367eb5282f7
SHA1 b586c6318d1de4da00c2336d52e7ce3234c7e343
SHA256 7c912f6a1884318eeede771b5b0f96d0d7a5eedd90a37cc8e012fda49532d883
SHA512 45db8237c712bb5b08f73b3034b61132978705629d09c7965d595cbeac0716aa70dba9616242f06ad25a0585c17c642b6d6473d8753a2c95fe3cb58399fdd9d3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 ec4f499402867881454ffb2826252a31
SHA1 007831f80e17f699c569cb01017594bdb80e169e
SHA256 49d2ceda86643fd02b3a35c074228f0ecb2c2697181eeb0cde920425f9b0d339
SHA512 8d1eab086015dd52aba27c7ddb6e298b8e84f1049a235e83440d2f0b3a820fbf024b040a87fdf86cde14bfe4cd81b9ad1fe991467245548da65390d59884b8ca

C:\Users\Admin\AppData\Local\Temp\yEkO.exe

MD5 d7f31458333304fcc34a0ff5dfb5242a
SHA1 dda55e9c47f9445d85c29a9b69af707dc105389e
SHA256 3e2efede9df63be9c630ffc8494d01a6f40a7ab4b13161835cb932ae106d2db9
SHA512 0fad70e31d1bd415c04d959438d3a45c17c53dabb57b90db00037604c6ab05641a7cd343725cb4b40b9a1ccb04736ad29fa6cb40a3faf007e44c6cf7acc870f6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 b45af0d17e05514e61cf905e147b93b7
SHA1 7f8488ee6b42bf0a5088c65b02bf42e39dfa4422
SHA256 b792bb97c2c0e275f9f473328f79574bc44127c2796d0ce7e6b6768596f15129
SHA512 1415a79c0d7cd1f0ec2f0abad059dc9830ddd5fd9908036ebc92fdd31ed3857e706b3c6efc493a12f4b6f00369f9bfb3ab849e883d619486ba96547c7fb318fe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 4c5571d9c3aa432eea5146f5458224bd
SHA1 d69c199acaf6a70b76d840a62e687445a0206a4f
SHA256 4cc85cae7206a27d98be3148c41851ad64f393bf89ebf625adf253d9d2d68837
SHA512 aa02ac8cfb36bd213494809f2753ef34c566c43f9db8dbdfb9560e23f3cb334c33dfc79ac2545e9ec63e25cb33798cd19c91b259f51adb8907a7a196445f5354

C:\Users\Admin\AppData\Local\Temp\ewkU.exe

MD5 fdd69da47d6b3eaab55ad8d74a65c8db
SHA1 bef6d8d691d31bf997e207c26120d854ff6ddf75
SHA256 93b6b292308629876932327cf5963ea7567b11f51c66476a67d9477247a0d539
SHA512 66c29d32e5bd2812e806b486a82a32427bf0d2d63690a0d3b918fa332ea2f3ad7d1a89a910535789be4fc08219192c9abb679a39ec6af5aed4da4d77fdda2b05

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 afd672ea8a4046339c05f403fa1b4f58
SHA1 21b1e452c00685aaedb3af6656a58e4c01cf5b1e
SHA256 acdb4ce4e9408a6cfeeffb3bc0f5647c0916d2b459f34213dc66138ab05cb3ef
SHA512 e45fee784720c00455890ae509c95b2ebac90e744ee564f9057b3d7d7ed742dcdb05093672a6a0689765968c5e65e3a4d542a446355d90b349c5a6c7abdf4b90

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 59f68de78e8fa0ae1f791564bbadeaf5
SHA1 8fa4da1468601a6a3da9fff24498e6ce7b811736
SHA256 30dbb7aede374887ee3cfb73bf5ffc35436d05bb4bb9d9479fb228847d610532
SHA512 b43c5d6bb0482da92099738caf188cfd13ba4ec90a28d18f8528a7f02cd8d7e52954d323818852cc5ab31d50cd01b42701d73ef73a6bdbed801c720df22fb615

C:\Users\Admin\AppData\Local\Temp\awEq.exe

MD5 4fda75d909a9e9eb63bdf678d1b5c9d0
SHA1 6b5d1ec623fb1be980d41111d557ed59fd6806c7
SHA256 1aa67b9aed74693dc784168074a3585e8cef452d75af8e6f65bd4ab3d107a84b
SHA512 c1920902f940734165303aad9f1bf023e456e0a569ea06947f5bb355377e351fa886ccfd491025f0c85d33d623a25a4a7690339347a83dbc261cd38b3ec5e807

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 12a591934b0804de06dadcf976e9e635
SHA1 61185c276c66b5bf7fe6205e4ea27bb8f1e61dbe
SHA256 ce83d46ab7febc591401ce178172a300cd846032b5ae3953242fd88f914026e2
SHA512 468b0822aab6000f36452fda082b1d6eddfe52eae61a91ac0e390fdd2f96a6ba7f55e2f1f84d1a82b6b4b9040aa10679a6f89d3a98548b7b92f155194077df8b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 3760353610b4f98df097b8fd526bbe7b
SHA1 298e1894c17b7981bfee7fda130c8c6c2212795e
SHA256 5a2450744ce570df014da6b8bda4991374d44db8483fbb09e50c558dbcde1aa7
SHA512 d26412bd29b4725056170925f8e20fb7621663c6ab60e7d45ce2d75592d0e3aa68174a891dd9a0f1e7e580a938bc7c953a9a74593aaa9d7db4549d51c0685e67

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 9485001dacee49e3d7da1f0f45facd3c
SHA1 c3fc8bae9a1b502dcb82d58a97a31eaf4d8b4217
SHA256 e4272a0ba111158b6e0119c139564e76233c5a4b6f7cba169b859e8d3ca2ae46
SHA512 0ba4d465ed202454b22475497d66266325a2ca06c95f1a77b921eb8ecf1c14c2d0e25a09cfb1aba5e5667db4eead4a27941ca269bfe14bd4e6744f5ae4e20918

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 a14de396c86a7e2733247bd3a57ca6e3
SHA1 c376792464c209e605f816fea9173f5ece1a0818
SHA256 087134e92bc223ab591b02e7a1a900587a42f1c2cf63c863203254e2960cf999
SHA512 b50d38144ae7688ddc4319b4cf70b544cdcab0db85ccf848372a06540af866c557f651d79b9e68ead74108f15c4fd87f24788e07ea87e745b94f50e01bab8032

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 720645ace1513005d850172e3d77ec77
SHA1 f047e8dbe00e350fef558c032eb6c90cb1705bc4
SHA256 e90018f838146cc8a3140fe915010d94a72b8b3f6f033638edb46d1cbd99d305
SHA512 312a3ab1a6247340b24cd17b5f7e019e49f26d19a8f80440715deb152fd6d1b75f6058fea67cdad40082b842c632929df14016d3bf9b1879373718a56f4988d5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 b5ee010c667d225b43645b4138d582ed
SHA1 c622a2561b4e97477bf1a79f4ff404c06de77248
SHA256 ef334bfb6c365c19005d987f423ada206949f355f9eca710027884cad3fd2c8b
SHA512 70fdee639534836d54e99da97bf86fa449ebace3cba488219af47ab4ccb8865330be511f01639fb2d82af30db18abb24efbee2feffd531a480404c319cc33407

C:\Users\Admin\AppData\Local\Temp\UkMO.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\EkIG.exe

MD5 58877a2858d21a950d867b3bdd799f8f
SHA1 7ac927704f78d94d2aa60ec988379a598d63bc70
SHA256 75ee9182fd2d78e4a0e3d54bfd3b21220586b9d2013c3296a15397a74875296b
SHA512 5570f5ab5868fd28a91f5990cf5d84fef95812d31d4f0d1c1c823b30eb1a9fe3dd2b05238f97e6dd2cfee8be96b7809b7fd1a081277634d96b818d29b1314307

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 9c7696d550fe3408fbf263345a507f80
SHA1 84404819674eb1df4bc42e556c1718b1fbd395a2
SHA256 f7c286eebcc62115d3747bc8cd58b35bff626abaf488f46923c7cbadf1e4f5eb
SHA512 62214b1d6d55a81f1835388e3ea02b5c9a2c311f2292022640e3513e333028bc64c7a0fae8aa22d33071d758cb717b5d29f45bf00ac7c20c8910a0bb379e9443

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 d0d63ec92805636d5e0356996111d71c
SHA1 c4603cd768a7435800018cfc7c6426e6ef2823ff
SHA256 03f00d9f7e1a397a0af655d78b9d1e8bbd7693c89d59eaa02147e93a05a18031
SHA512 3a8da3431316769c90454ff899b8fcc9e5d9d380dd0234cdacba258d0064f144bb01b35b635dd499517c538badd0b82ab80584109d2edf328d2f52c234512dd4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 00e631185352219ce6bfcc4f717fb084
SHA1 4e75311f74ae92ad1e6e123a35ca0f53e115a45b
SHA256 7cd767dbef5f23af8650e92de977f7a4235cbd3d057af4e14fb3dff90babc7e3
SHA512 23a1f1341c4c6b57a702d98438bf4ae40fab01772e19b95e3ad7d72c0286ae199d49dd3d5eddc55d19a70e5c9caf0dc8ceb46263788d26ed837ffce61afd3ddd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 207fbf8b7688229f3b655d472b0c97c0
SHA1 2620335fb49193edfcde0e2aed8cf25676716416
SHA256 1fe4445f2793982bbec395ce082ec6fb2af448839ea8a5017a37dd970b7b3f61
SHA512 3c903b7a0d757b7b1ae9d8c659f983a818f0ab6908d262b0b20d3b563781a57090e51a25d57b04751fd7c30f5052c78bf282375aefaeab5a4a930788a500fb43

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 ffeb30669f88029a597850e0f101dbba
SHA1 aee121ac33fd8da6abd46d0905c82588d5c2247b
SHA256 542f2c4951c2fda546909f022a02c6276f5b8ae482de06f6af794ecefc265795
SHA512 14704f45a074acadf35eda9fc81d6e6049ce308ae38045b71d7483b8d59c0681008fa4ed3f5ab2be680dbedd8b31d303fe9b71cdb295bc14d1655b47528eafcb

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 96108e8dbc0b123a9f388382630bd25f
SHA1 f07d4069672d5ee57cb90396f473a33f4b82dd72
SHA256 a4ebf18b582d5ff079b32843ebff15d5e3e4e073079eefe028e9a40edc967d99
SHA512 cbc69fea8597e1ab7a359c3bb5c4a6088e497743557a7f1ec2dfda97ddf15a1b277e0e7528ad75077c4c622c8bb13159f77df73c0bb65ad8861807ecedbfb092

C:\Users\Admin\AppData\Local\Temp\GQIq.exe

MD5 00520dc0bf23665ea0094c976bf700ae
SHA1 08a8fa7853ca2535307a940b6b7bc563c78fbf86
SHA256 d50ad2fcc1729bd1f43035c4ec59083c88d1917da9b9e3b25aab1fd88f8c6e23
SHA512 482ac6426c1b2570aaf0b96978af4e832d29371710feb07715b88ad6196bc65817315c012a564e54de20dd30d43626800b2667f459ef0c0d31016e3b125ccc3d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 5847e72bdc0edb708ad6ad2cd46e7734
SHA1 1dda0bdc713dfdb87bbc2c99f92defef1b3b0240
SHA256 99d6c5b318e66232b5565c2ead8e7429e55c2bb6a905baead9b977fce6ba5857
SHA512 e89d7888c3362994c23ad552156e681972861111f36c42abdb90839248223abded45592cde388701ee4a321aa7755158e04559ad576156bb6ff899ce02056655

C:\Users\Admin\AppData\Local\Temp\QYYI.exe

MD5 c3964de963d6b50c6cf01d406802f5da
SHA1 545df17f31ba3477a57603044364bf3abbd36f5f
SHA256 7a74c45a658b24a2318b1d9f73dd9b5047833a1e68b5b96c357d8139d34a2f59
SHA512 f242b9d2a68c3ec43693e71b7505fddac1893d81649e340bffbe32a58e0d1cc400620d644dacf5323313d9abf62b927c14873126492d1686aaec557cec6a0d9e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 1e3c1b848b3c3ada0851f60216943e1e
SHA1 aa29a18b6d3329d8540adae87cfe83677d5684de
SHA256 c063c486a0220c2be0bf9cbcedc4f2211b03e99e782dee406afc04e041a21aa2
SHA512 3581964a8f32f6b98adfa527f6db1e9a5b60d8b25e4b36b7ff806b621af31153650633ca983626747381c75addc26eade1d94a25166ae2737044660faf36fef3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 34a4011c658b85245c3221f0ae4b7688
SHA1 e9fd762590e2ae90f74cc458349f39f4a647c3af
SHA256 716b7a69653c296c43053cb001beca5838cc7effcd37929119a39bb411a56bea
SHA512 aa4b2cf1a5daca4e6e7104acc8f4a30c59c2d004780304be7518c4c2ccccfe451b9f970938ceee5942b425746e07b6a5076aee511b0501d461aeb4c39c79cf8e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 64a3fc7eb1dd20da5a6dc07b79bd8844
SHA1 99cb9c40fb61085092b67abf0fd2bfde60762261
SHA256 a1da2de7a49a58964bb9769fa2263ac7d4a71c5c25559ba376cb09203f1305c5
SHA512 e1a80894f0ec74d430becac0e1efba591f39ec13d718ab23c126d2c69e70658b742ce019bd9a2c7e1aa283210f5b2ce2f800e08c8c57cc312bec874f20fc4d2b

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 953bd59ba5957d8d4e2f3d52cd2b59e9
SHA1 8c73cc5d18291f69171c8035393672e1929c978e
SHA256 0df5f1e3b10058c5c31a04e42565ce8cdf962105118bc5dff340698d32f29596
SHA512 15753b4d6ee0fd6c8be23f9036c6311746c1b8f93442231a81ec17ab43b317ab7c7e8579a1909a6429316a5b98782194047a84f7d48d84b54a9354fdfcda4a71

C:\Users\Admin\AppData\Local\Temp\Ycoo.exe

MD5 2233e780d5ddc4f2cba35cc12238df4b
SHA1 f431f0134bcc65d550d19bf81b84b477870dad13
SHA256 bff62249a99f183a60e1f4bb0649df6e895cbd33db68e96b041737ddc178f81b
SHA512 710ac86d0ab3ba8697c29dbfaa292fcee496a96b6a41b23ddfb4c9c3ff22182e47500f9c3d7c0a13beda94ee5eefcfbe992a5472b52efe74a8be4060596317e2

C:\Users\Admin\AppData\Local\Temp\wQwi.exe

MD5 739fbbc60bf386e44f7c1de96907093c
SHA1 d02e18b2f1e51a5fee11685e6acf4e2843c1368b
SHA256 febc255651dc3625cc6ee2bd0319deaf037e1928c108b8754268285132b7645f
SHA512 a426a430dc82cce08ffebbc4961f0653cb10a38e3e37031471530205f9840a3480bce7f55d8938ede3de95eb87959becaa7073a96afd609d3ecda4e9f2d0287f

C:\Users\Admin\AppData\Roaming\GetSwitch.jpg.exe

MD5 3b28f401116d5dbd5bd31fe353578917
SHA1 c0b862e84989f1d598a941f57632d9fe18d1d3f4
SHA256 dd7328c6420c1e3a8247cdd1cffe87819b9f2e6fd168bbbd9f2b17a11b1de6a0
SHA512 ec1433504efa623f00775ddeec450bb6e6853812e29d86fba901548a82d507b5b05f51d5bcaa6d9577f77e21921cba083720cde1795829a89b802ccbd225a21d

C:\Users\Admin\AppData\Local\Temp\osEM.exe

MD5 e69fdc7c4da4a5deef55787d2f85983c
SHA1 3729e86bb2f66019abc3e8022b6f3849e8cd3642
SHA256 703a9122325f6878968b67b34f190d5d6e5416ff8399ea1683bde6b081b153cd
SHA512 52c05306e64a2e570db362ec9229694573c1dc750d863602b11394ad4c77988d7b808b2d189370331234461d7a2a2668114f5ea05d40ed040f887b892e703e23

C:\Users\Admin\AppData\Local\Temp\YEkw.exe

MD5 95e972fe4ed6b3d53de3d6ed8b179a90
SHA1 c6bd748b76d27e5b3d431dce543e7c15d1223681
SHA256 b9012a73cca4afa30a83fd2eb64b94f37d68397ae3b9b23c6920902abdd3ecae
SHA512 c68db7f1017e9caa899d7d05d35f5e8ea8dfbb4026042ff35d42d03cb8ef6b8d8d7b8fcf4413e4bc365a2afa03c4aa0fd437a0666188c66b21f94fbea6bb5556

C:\Users\Admin\Desktop\ApproveHide.gif.exe

MD5 bd67ea399b5bc067355b3954ba53abdb
SHA1 fa414fa9012a98b8ac5f6151188385d066d661c9
SHA256 0d8207d31e5b5e816ef64375f2f99131e97440fd584a28147fa3af892c527711
SHA512 ca4d23f437d67e55b7f1c4c890c598baa1402b624b70a5ccc91dfacad77ca776ada655ffdb669499793b1e875d78424423e6494f5cfa3ddb75bbe83acf08a99a

C:\Users\Admin\AppData\Local\Temp\WMwY.exe

MD5 b4f120ce6f9d4d76cb197abd84e6ea5d
SHA1 f24b5ccc7d72c73197087df2b22bc46f7713c29b
SHA256 79393f88688b4314fe2a39c3d7fcbad6caba15867ac638ec625f357b0b889515
SHA512 7639deb71598589164aa58eb94806584affa4ca58a935e83eed20a1780eaaf39228307c271e23b1e79ac60038198403b5ae2ece89a92a7e18f5a08b03b235204

C:\Users\Admin\Desktop\RevokeImport.png.exe

MD5 b7ac5e88d216ba3345df7be4f05c712f
SHA1 f8ef74777a66e8be82a4c66dab14bc655f2cc78a
SHA256 cdd83f36901e00e3104dd0feeb204e7c5867a540ae2182469885c22b4ca91e06
SHA512 29258acabd3ab66623d0bab23f786fe620bf8a36151223cacd964f54b5580d07cdd28f8b13fc438b33e935478bb01de2d0b518e2b6e6651d0e9bd923ea9b2cb8

C:\Users\Admin\Desktop\StartDeny.png.exe

MD5 5abfa4de9a47cabed8b0ad57b4c339c3
SHA1 d32de5258ab233dc740005aee01ecb2f7bb710ee
SHA256 d3d37348c3e62666ce78d22dc78702d1d123b81a17aa24e6137ea4e92651457d
SHA512 c8935245c2d1f3cfa00880bffc371e372387dcd6e134ccd5590ba098fe473bde3094a74d098c8925094b98f38358c9730fe2e3222cdde7d190be1f16f8e0d47f

C:\Users\Admin\Downloads\GetStep.wma.exe

MD5 8e45a45e313261069a96fa7792f42ce5
SHA1 51dde68e0e3f88a6816f4215e96305a61e81ac90
SHA256 4b4fcfd410c85d615f0f36ecdb0ee1c372583908c0e1430d193f2e7b3efcfb67
SHA512 0944553416b413a9c1780a57254cf8388f3d09a764ce7e4284a3f99b6158e6dba57b2d11ceafd94066e80dc780eef4dbb67741372073907e8a39bc34dd32ea51

C:\Users\Admin\Downloads\MountExpand.wma.exe

MD5 ef3d9d45a454ad2369596759924e5129
SHA1 f271d24d639389ca5e6e7fc25f32ed8b25c4c995
SHA256 291b0a15dae4cc630e91eb8ed52874d5357a33d3d7e195d9b654814009596274
SHA512 fed75bbda1374b346018e75a3602e24078ac5760a4b4c08ea6e31376eaa0034a7e1ff93dc55d81beffce151190654ae83ee8805bbf708be0e9e642546ff02459

C:\Users\Admin\AppData\Local\Temp\OkAQ.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Downloads\ProtectUnregister.jpg.exe

MD5 eb17b474df6ff9bbc82e8cbabe18de1c
SHA1 3335004d5796368565642f2574a6480360c27912
SHA256 16602f9840cc07d1a61ff15b64779384fe8c168cb7a909543babf162fbf1cb61
SHA512 0319d5a5379a02bea4653b8afc2e763232e7e5d0bc40fae8a654644c2ef8c138a15c3bfbc66bab6452c29084259913f6e76ac944d04f91a8e10e0e45f50a391b

C:\Users\Admin\AppData\Local\Temp\KAwq.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\WaitExport.mpg.exe

MD5 91f306ee019b954a3ef63bfbb0c671aa
SHA1 465dde5bc5da9cb7d2c4a922296d1b6d39d52f6b
SHA256 8fd14dc7cc202d7dc81a61486b7de5ab780c3b50c86e9bed53c8accaf37a8579
SHA512 26b33398a385b28f2ffb7801bd5d7d1f3304ad61dd66fedb9674c759adc6ee73dcc5e40151293a51e11c76a46e2eb0193721fa91982d75881c39edcd7828d312

C:\Users\Admin\AppData\Local\Temp\GMUm.exe

MD5 5646b970ff60f3c4edd30cba498b9bf7
SHA1 e5912a3922186534c061f6a36122679fdb5e2514
SHA256 5167e8974dc940dad02ed4fb50c4abd602fcb19c247e70ad941540f41a2bcf5f
SHA512 7574690bf6745d816e89191a7bd72f263a66bfe3ff52389f9e4e84a702d4f757fcc7643d25274e7a2796f26b8014962fd8d03268feb40c039bdc26800012bf20

C:\Users\Admin\Music\GroupWrite.pdf.exe

MD5 3a6e783db2a936d3949f19a7d1a56f58
SHA1 3fc249be1c86e39ef4f1a834a1270413b61c2f10
SHA256 800d5ca4f9543012ce1fd01ef10793d61176b60ddcbbb4dadd4a29fd599766bc
SHA512 1cceb96d328d6a24d46369069ade4332b14ab303f1bce44726a1160e0eeeeb9777daca7b13f611085df57b2b1c111d2ea4743d881f9a9487322b2143adfe44c3

C:\Users\Admin\Pictures\AssertPing.gif.exe

MD5 53ea84d8915249b3040f6e81639fda1a
SHA1 aef03e75fbd6295b4c6997e38815564e85dbeb48
SHA256 d790dde725b891d1060686f2231aacc931a45f4cf401e56ccb9e25e2a609eee6
SHA512 ffe4db4af893fa13230d28ba7fa1e5b4732d7930a64e28b113adc27ef859f56f4f0a7de48a60e3df3b0d15c625a7d95a26020096e13f0d5a0aad3275d3df6bf8

C:\Users\Admin\Pictures\GrantRestore.png.exe

MD5 3d026a6ae953bb0c8364c731a116ef5b
SHA1 1acb091a0fd387902d0ef51008b4fb74b0d7805d
SHA256 e278fae496447a53c13ab019af8d8394dcd07e374e0a7e9e6f902f6aa35b268c
SHA512 73762aa22b4f56e84baee40fd72aab60ef26542e66d1d498888ad2cd9ace1f5c7baf1673b7520a7bfb7b15bc1032ff81d7ccb691d4a6730222e1497e1f5b0512

C:\Users\Admin\Pictures\MeasureGroup.jpg.exe

MD5 175870feaa23f592163c44a1bc730ea7
SHA1 ad53c19a1d60eff2c56f93c580d59633ae59e106
SHA256 cb5a5d60b34dc9fa3762a949ead9a3b2b24fa48e8250f5513951970d77d474c8
SHA512 9b347dcd0e8db0bd30499f48877f0fd17133880166a89c4fc9247ff61364ce83b3907e92676a4c527c804d1df4b2cd886d5a5a9ae32235436c2a31b346e98ebc

C:\Users\Admin\AppData\Local\Temp\SsMo.exe

MD5 264d7aad277aa7a258fa90c7b65d50f2
SHA1 4193259e14faf309dc4ba3c692099aba60278167
SHA256 c4c5e55441ae6d2069be292bd6e89cf659eea578a6a85cceb48fcf9f94bf0139
SHA512 8f52070e57a8feebbd335a1f34e7518c6b856faca535a2ebedc06c87ef98854448dbf292364f73747a54a29860420fdd9cbd0b6c0556594cb40d47a3b99c7206

C:\Users\Admin\AppData\Local\Temp\YcEU.exe

MD5 eea08c683e029d9e733075b90042c503
SHA1 35bb3e2b8e02cff7f633ee213366abab6f48856e
SHA256 964e8834790d107a6f8fca76815650b6f630085f351fefd56fbb4344bcff6ebe
SHA512 b74aced2ee3b20af5b602a551b8e350637a5b4cb57175350c59e81f0e86e8c1d2531e38f28b419aea06070f04d5d38c27b42844b0686d9a726e8bc605e16cb1f

C:\Users\Admin\AppData\Local\Temp\EQIk.exe

MD5 307a1ad78462599c1c26b9e79be25e03
SHA1 8691598d6d9cf81d645d162ad08b5a51acbe59ce
SHA256 eb80e7c5ff0180010eb91acae305d3f76241653818819bb5348f8c7acb05f507
SHA512 6b7ef1af85e1a94ab8b4136d96009cd0ceaee1ad6491e17192e77fa4a1733a76c564ae1e0da8cd350a81c0ba2f0f8891f78f3ad8e3a71d330e2c7a2db96c4fcd

C:\Users\Admin\AppData\Local\Temp\oooE.exe

MD5 6a2942de486cbf78fff33f69ac30c098
SHA1 4dbf314430c5694a0c406159b92fec557c21061c
SHA256 fde670f2e5ff9c6139fc0d7d3f76f24e0ade4460f6c2f50f3f37825a70a2a1f2
SHA512 3393c1ac4ce4e669bfcf75b844e702e86aa5d315604fc9052f038957aa536c5e5e64f6a5ad199fb3c3dca1a21fdefa5cb43d21eb2591766a77b4dc572ed04468

C:\Users\Admin\AppData\Local\Temp\uocK.exe

MD5 06d6d4fda85674d502b80040b75fd750
SHA1 9550565236a1352cbb279746baa9a3a7f61bbc48
SHA256 ccf5565678b603ebc7b2f58400e01548ab5bb11ee572bb75b3a02ffd2bc337f9
SHA512 6c20c3b3924c777a066d99f93794c5df5ddc1b314650b0e95e3fd94825407d86734343f40def1b83d6af67e18ff86feef9778ffc6e5ae7bd288e556c3e816490

C:\Users\Admin\AppData\Local\Temp\CQAY.exe

MD5 e550a3d006529329bab49b5fa65764ee
SHA1 a507ef1eaab7982e787ca48423a7a4adac80094f
SHA256 d149690a45f30842bb8932d0d990d17bd0c7dea158ff2391d9a5f2c4a00db221
SHA512 39a63b692fe20057107404c6fd78e59de79e284517069b40d01b883eb96a44e1742acf7018df0ca6054bafe16fa6ec4535caef8257b9b8c79c359b6da5504d4c

C:\Users\Admin\AppData\Local\Temp\wYIK.exe

MD5 6607805fe96932f09ab305ba72a12e46
SHA1 1b0e78cafdf42464fa0809f1b7def812bfbe3a14
SHA256 b1aed8c2441129caaa9e577be5e3d03c6153071f9eadb6706bd5661af86753f4
SHA512 76be7bf430ad958c4887a0a732958938603d634c66dcc798291d1efbcf997a829df44ff83c0fac2751f9d2f387f70e293191d1d09f749374ed31f08861681488

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 6c8f2feafd69a031cde9ea3544bf18c9
SHA1 876625df9ed06579a031ae130f133f60ae4bb699
SHA256 514ec6c4a5145fbe5a1413af194d23dc2a4b4f41c2ba2a5590a614f981fac993
SHA512 5804472e5b785c1664658499f34d52071e85de613c1bb23913e440e2ad3f56c68e4f84ab86564fc68735e6d1068061dbeef9ad711056ed6e3b68ad494b7b7f69

C:\Users\Admin\AppData\Local\Temp\mkEY.exe

MD5 827ab1582b3dc6308a417edb75f32244
SHA1 f4ab8f2c64cb78ce5b301b6e7180178640fbc795
SHA256 4e667893e837a428236c61e720c4229ea3ba1d88dac2ad471d5317e704e6c518
SHA512 ce35674846caba5be558ab0729654e0e63cd37cbd6793c7d8162c6d7cebc0cb5dfaea615a846affe297fb0aad2558b3f5f3a71222c042b769d4701e47ece5374

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 4e2308c2144f600b3471cd78a37853a3
SHA1 f59d092fc3de6ccb9729763921d8608531aba5ab
SHA256 4d57d55abc198b787cf24852886f7b2e9243f1ad2d3125f3d478c9da7f5d5618
SHA512 db855865f5496738a33843ab92d011a1659f28f6bd2a90d1395b2eb3dbc2730624bb8ff8b3457f8325b8ff44df9b9ba8f215071f2f32f692fc4e97bcc44f0ad1

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 d660ef581b6409d8c773b2f72ddb5039
SHA1 f6bf285f991e58cfae9aa3d0e00a6f879a700ca4
SHA256 bb10cb6cb7299a4d88ece32c3975c5f2b497ffc6c39935aa6465c199e497fc1a
SHA512 d1d3d93714508704f8d2faefeeb71588612e858734df7d587d59f422895bf9a3f143c0a7dfc2b9a2ec102cfa5a282730cd6538bf6d353d6bba65e60b5d9e5df2

C:\Users\Admin\AppData\Local\Temp\qccm.exe

MD5 fb8509e46c8f1825a91deb2abe7a86b4
SHA1 5f1a9a00b036ee668ca1a6d7e63c763d961e5697
SHA256 d5f0b51847ff74438ad26dace626b0979803f6e13fcb4d8562264ce8876b7dce
SHA512 733f5bf2fe93ddca7786d76f27c39adaa578d832496c67665f705db3ddb9b7670b289ec39f601184b82dc24853b19696fd61fd04b9a3d08c91637eba5a123a40

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 6a6654cd33f4e46a3e2ee7f56bb5ccc6
SHA1 56ff266b9a58ca136a1ed46a6307b31d37b250c7
SHA256 1aad81008e14f60a02815245a42254c25fd9131f3b4938c54cfefbd5b91e7355
SHA512 76b52d42993e8058a9cb21b48ad35e5938043e33b6c517273ebb7af495ab10d3f1b0d707751000477b8c6a6edc07841cd4df5794578e15d729baaf88228210e2

memory/1040-1662-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4044-1663-0x0000000000400000-0x0000000000424000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:33

Reported

2024-10-05 19:35

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\pEAscQAE\UwIMgMQE.exe N/A
N/A N/A C:\ProgramData\hmMMkQsk\uikIkMMg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\UwIMgMQE.exe = "C:\\Users\\Admin\\pEAscQAE\\UwIMgMQE.exe" C:\Users\Admin\pEAscQAE\UwIMgMQE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uikIkMMg.exe = "C:\\ProgramData\\hmMMkQsk\\uikIkMMg.exe" C:\ProgramData\hmMMkQsk\uikIkMMg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\UwIMgMQE.exe = "C:\\Users\\Admin\\pEAscQAE\\UwIMgMQE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uikIkMMg.exe = "C:\\ProgramData\\hmMMkQsk\\uikIkMMg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\pEAscQAE\UwIMgMQE.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\pEAscQAE\UwIMgMQE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\hmMMkQsk\uikIkMMg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\pEAscQAE\UwIMgMQE.exe
PID 2752 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\pEAscQAE\UwIMgMQE.exe
PID 2752 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\pEAscQAE\UwIMgMQE.exe
PID 2752 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Users\Admin\pEAscQAE\UwIMgMQE.exe
PID 2752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\hmMMkQsk\uikIkMMg.exe
PID 2752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\hmMMkQsk\uikIkMMg.exe
PID 2752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\hmMMkQsk\uikIkMMg.exe
PID 2752 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\ProgramData\hmMMkQsk\uikIkMMg.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2588 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2588 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2588 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 1228 N/A C:\Users\Admin\pEAscQAE\UwIMgMQE.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 1228 N/A C:\Users\Admin\pEAscQAE\UwIMgMQE.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 1228 N/A C:\Users\Admin\pEAscQAE\UwIMgMQE.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 1228 N/A C:\Users\Admin\pEAscQAE\UwIMgMQE.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-05_83f20fcc05ffd04c4229f4ee57a59157_virlock.exe"

C:\Users\Admin\pEAscQAE\UwIMgMQE.exe

"C:\Users\Admin\pEAscQAE\UwIMgMQE.exe"

C:\ProgramData\hmMMkQsk\uikIkMMg.exe

"C:\ProgramData\hmMMkQsk\uikIkMMg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 612

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 142.250.180.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2752-0-0x0000000000400000-0x000000000069A000-memory.dmp

C:\Users\Admin\pEAscQAE\UwIMgMQE.exe

MD5 a425ad8512b361fdf3e70d24e5a4fea0
SHA1 d3cde8038ae041b088beb641d3bef8ed8da29cc6
SHA256 5b706b994bd3176de471c84faa0383da7319adc672df7c2d1a35d6a514d679e9
SHA512 d5fa29ceb9b24bbb5ab37861d6eca34546495837d7fce405166f40f0b8af83a8194b89ecbd13667e9b3530e2bc1ec0feecd0e807be414554db971299c4dc910a

memory/2752-10-0x0000000000960000-0x0000000000986000-memory.dmp

memory/2752-8-0x0000000000960000-0x0000000000986000-memory.dmp

\ProgramData\hmMMkQsk\uikIkMMg.exe

MD5 3ba5630dfd2ee0d5c289b0f76d15e719
SHA1 7dd8312b02c648da2e3c38fb607a136d5ac027b6
SHA256 d0104eca8c759ae7b53ed570875fd06dcea8b05bc8ae24f25b926748f7424a41
SHA512 6c58c9947d37a591b0e028bfe66d39d77c910ffb27f1b1cbfcf72184de68ad2267fef76e3f428f497eef2f8904e1d47fb471634d4192fcebefc08ad7d51cc7e4

memory/2840-22-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2752-20-0x0000000000960000-0x0000000000986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GKQosAUs.bat

MD5 ca692d84972c3178353a54fcbfca9acd
SHA1 bef044dda335f1cf4a629d05bd2d6d1b267a48e8
SHA256 a4b29496107096f946cbe11b70fa9122ab7c9469e77539478155d3e4091d08fc
SHA512 60237832888c4fbd7301210b9ef1fde63dfdd82dceb7507a00beaf874bcb61009065fe3996646236d7ec9e0f2b4f6aff139a11e5f8a3c4564e414915e54ccf7b

\Users\Admin\AppData\Local\Temp\Optimizer-16.6.exe

MD5 d998782cbfcffe2b57945e303f02f176
SHA1 bba0fefa7823b0951f33b79708b23a47ab4f2315
SHA256 8b29c9349e7a814e30cce1cfb788f5a21740c798268b0a45ab805195faad9105
SHA512 4562723ca09057817ce66eb5596de858ec3a674e3b3b6a644b52d6ab1e5d4f8650423356853ed68a375e328c4a97b5f33b8639b31b32d8d58075fae7fa37734c

memory/2752-36-0x0000000000400000-0x000000000069A000-memory.dmp

memory/2612-37-0x0000000001270000-0x00000000014EA000-memory.dmp

memory/2612-38-0x000000001AE00000-0x000000001AEB2000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4165f2e417c640882844474011a4bd39
SHA1 b0eae6205c54278262f5e54152922722d72aaad5
SHA256 c3a2b3c9176fb00611edb82ea52d1e1bed34227970962af2c3c5553b0c740681
SHA512 25050a72886a8c8cc05e3111bfd27864eac19a9810f4bf13ec66d4ef979a12d16d7e49d62774ef4ad4d4be707f73800b879e4037633f652a5b0502dde4db9cfa

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\IUIo.exe

MD5 b4f8dfb1aa33556453dc3e0434f1a855
SHA1 7f0caaef23943898973df4498bc6c4af7828c345
SHA256 67a7f22222391c6425cdd236d3823a043d29a969f979c920f219e10a82db7100
SHA512 5772f920fa7721ba0d54dde847dbdd6a7890856bbab8ad42f0a098e5112eac8f4cf4f39fb0cc8d1e40f6f17f60f448297abbf9bf95546f7343a0886cee7bd5b1

C:\Users\Admin\AppData\Local\Temp\IskS.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 5f7096cd48a488f9b2c1a3d0ef53d674
SHA1 4c225be4bc040e84f4a96773ca42f3e589fba5a4
SHA256 23b797b0546c29d3176ef6146db54c66207f7ae730c334a3fd9063cdaf91cdd5
SHA512 f38ee726608a4ad1f78d0cfffe52ab77ad2bd371f997d9a40abd9d815ec4afc09993e5eb06a4889c093def56b52efc63cc8a7c3ddab546b7dd2d609757060976

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 051b4e2938056755da3a97503934eb12
SHA1 88fa05cb0dc9bf5568a74400ce1c05e78eb9f609
SHA256 a1782d733f755d4ade9496e8b6529265851c165af26c25a89052ad7aa4eb78ee
SHA512 427f47a6e0570e711e2f622e351a72ca91e5ffd5dd258f0d819db257bd96743422e5b1f142030f499cfc66ea91f9f7be0aea6f9e9ce6d1a6fe8b8873b38fcf6c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 5c3bafcf80207f4e0b2d84eb90409a36
SHA1 3bb7f4e710c72cc6af50cf45f28a50fd98b253ca
SHA256 55e824afad51e72a48cf02028f3110bfa1d056f8ce0017ed52820665a4148f36
SHA512 ff364354ab3e7e743a6a45a3b43fe5ca9bc2eb8d8934db5486b1bc83528b8f9287019708f7c33208645442b3a52600f0c02b05fff667465c73612a135a875213

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 aa5f038c49f7fa4e0598600dc296f7ab
SHA1 e6be378ff5951145a269886b36f73993f90f48b8
SHA256 c8154770fc30b095030547068f4fd8554770b818b0d74b91a629cea830fce33b
SHA512 cecdb0220fcc97a7e238a6bbba2694cf89d7766f9a5a517c65ae95ef6acbb9d536ce6a065641dcc4f4179ad225d0c3c9e1c4b8a9348ff009239bcf17fd38a95e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 5f3aea8185380267254384297560ec27
SHA1 bf03d38e7eb7575ab58919497282641fb313ac2b
SHA256 e0e7450110a607004de2387933b0b51e5c360670036fef01e7b5ae7a1dae592f
SHA512 bb77debb01606d39eb4e1b84f2e1e3ea45e3c2ed4bab28f54ceeadcc4bc75cf7f683f5c7112cd2d450a95e329aa9e0fccdb0c559868ad47a22197ca01133baba

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 4902d454f7c5229163ce06846ba6e937
SHA1 7f8da6e082c1c7728562e47cd15b6f789e34d6f9
SHA256 a38bc538fa0efe40ebf3b7be8955cbc2784e879ebab6bbfbc7988e13861ac06d
SHA512 a6869c8c7c61eb61bace11dba8ca1247ebc689e85c949f2a34b2a185ed0b02f3d1c3a6a8be389d2461eff88679c1fb95b1e6f2c3a075277ac27151953969079f

C:\Users\Admin\AppData\Local\Temp\UUMc.exe

MD5 45b4552e8451b84082eeec69cdf493f8
SHA1 c36a4a7a927e012dd6fcd91e203b35e1dfc24652
SHA256 7dea16527a665b6120834edb8b47c2b602782e37116032999d57bfe28912e099
SHA512 d0a159cf55a5dc530b5a6a019727790fd1677606535006699fa8294f0299123f846891f8f28a6a54f0119ca57fe588bad7ffda80201ae7d717b53fb30f618194

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 8aa5213868456270e02c7bb59ca0208d
SHA1 e1554c720052f27c228194852b37e10c3059d263
SHA256 2166f826cb72e7423b4ae2073d6b19aa57a19c4633d138330cc55176bba972c6
SHA512 96d904f45e4e072220b6d7f9461c637d89b6ab95c5c75dbc4486a88b04000c0f8b7fe077259a94a2ffef56f396279a14ad31374d10419dfa8a256565a68505cc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 af5c69e3ddb25cb9f457075e5920d05d
SHA1 58ffa6399d4347bbc475f1c9917c483fc193a7f4
SHA256 b78ddba8bfed5f65e0373f4bfda160f3f33bae8beb6b510936ce1b665ae5d08c
SHA512 4395515c2bbc2700ca72323161bee196fcc7460d6e10b66a235fefb2cc0d37eee7e8e8d2547122312a5ce47630cfadebae764dca40c12e62c2034ba2f1a58732

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 516b770fdf4e6cc166d565e17f6dc706
SHA1 00f5ca60e74ab6fb9277626f7696e9c66c533b77
SHA256 f9688a75e892a944130c870a41402f1f6b233dd80fa32a2a28d95a8e0734c649
SHA512 05f7df569fbe9643c180cec0c933822f3781b68291f2d81cac2692f5868d5e31041531113965f20140c7e7ebd9e97760fe00688c9305b1111b5aabd514df0dd0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 f0a5dd067b728413477cd9a70ce2834d
SHA1 525485de6baa63dddcbb44a184e1cbbf33a54edb
SHA256 e02f4f9163b1390150f42f0836e8863cb84651144b7d2baad6746aac00d58d70
SHA512 b08ba457a6df6a7dbb17294f61c2bf05981efcbd9fde6572e5b0ff907ea08ce74b114fef62cd858b57a4124fc8525c06cdab80463347a44f01a162575bb699a6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 6d493c16cf0e87584d37f7e78d0e550b
SHA1 6f7b484278bebc1da029dcdf311e5f0a1ea8aed8
SHA256 a58da07a39b994f20593e45c9e14b0d9b561981126b5a63b36fa31eb43e2b9ed
SHA512 321f8e6b704c0bdc1050119ff30ed5a6c9550b800db1815597430f8c8b33d69a7838be228241879a1a8fc7a79d0f095e260d0b74d4026d9b9bf3cbd141ce69af

C:\Users\Admin\AppData\Local\Temp\CosG.exe

MD5 f57c69e929014d031bacf46657ec5400
SHA1 a77a4b8ab1c81caf74fb3ec66b8851f6a580c975
SHA256 27cd54529b3799489cc352c0d930032bc8768d60d220e4ec67a005752b5019e8
SHA512 726fa17ff5359f79dfc7a9449837f851d27e82d4f7eea4caf209fb8cb10e56a879547c70d4a4ef43369004a44f62bcbb1478722028ac9b507b84585d482d07fc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 699d497ef81f9ba1f5a0152e70701a57
SHA1 c98a940e1db60ed598405420f1d6f5d69673c81e
SHA256 709b3c21b790034750e1b8479a562f9446f978c3b20aea68fdf30b6895d2f819
SHA512 18314fd09b6d04ac245e96b7586d84eb41442bd7218bc1379005c794d6d69d6952909fd0ad052fdff193b7620a14e48aefbdca637a4fa7b159e61cb039cd5209

C:\Users\Admin\AppData\Local\Temp\yMYy.exe

MD5 6246fb26d340808655c1a692c2f82f66
SHA1 ca85f36d1530787683a1a0724c00fb119ad745b0
SHA256 df7f02100bc115b5c9f292624e1d13ce4948e6a702c9c43cff9b184b1d9ac3c5
SHA512 15e2c0be61755af783585bf4eab7e7129e58f6473d0061315d6634511d9db2c34d449c7c8b1f89f11a84ecd2de9b134717de4315590f06ee9e66d001bc336418

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 6c6f823a263d5e6c0b62021c9950d980
SHA1 f40da221b91d374bcc1d5d8bb5bef2c2fd8d7024
SHA256 ec118c2a2153e43d87b67e943e183044f74a6ac640bb362901db64b144d02bce
SHA512 b4dc7f86be6931f01af407db06a496f5a494dfdf293204be6ff2a04b6020a6a90764c0f398e46824eed1cd3fe8a097c78131289981c9e1b93967ac3a48ad597e

C:\Users\Admin\AppData\Local\Temp\gwoK.exe

MD5 2394b4fb88fbbbaae62742b2fa493bcc
SHA1 d007320d787efaa9a9e23a433a53354dbbc4f540
SHA256 48544c957dac5cdd92ea4ac0027fb60a7375e166ba9aa1fdc919d275c2544f8f
SHA512 7433c44ca1b4b1ffe2cf26b099ac8aa2a494949782c183e6080f73c4c0a8055f2d90b9b4a37d536bd73a4778d2ab035c2b693a75fd5b59e0549e1659a0086689

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 70ef91807feb55b8d6b627fb7a45e297
SHA1 dfb6f3f1996d38ad3485586e0471b97b928e904b
SHA256 42444597c7b5a3f8ca1f84bc76de319c64bbb4ffe678b103d8f0195f9dd4dd84
SHA512 954933aa18e617447661e6e1d1f5ebddccb696e7ad2a592ace64755bb9abe6cbbf17b6fc1752b06435b51b904958d0c85a12ebd59487d0db70d51308ede19eb0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 13dd514ab87b8bdabb2a40377cda0399
SHA1 98d95026939e4285f5521b676fd06ed1d4872581
SHA256 e44f65be9daa507a7fd7b8e41930919af750b7ec04b5c5b93f4b7f429f26afdc
SHA512 2fac901766b81d9bd477d796f9cbd8185229f1c391575e744be227c1c30da4d48f7a1c65ad0b88c3cf433f18239e4860ce539f28da52be87142c70687b4ac5ce

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 2106cc9f4679f5fb47fbb4f114f6741e
SHA1 7821c5e8699eac1f66598a7fbad1075b1434d18d
SHA256 5dbe3796f2c0500c754ca189dadc861f286e1b62247b2b79e9f49c5a5afb0cc9
SHA512 b84611b5d783b739bca704143ce88adb70d3c147b3bfed2c519cd66e1ccafb2f39be07b24cbe8b003cb9590b3445d539a763faa49078cd07d83b5992e99f154e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 9bb43dd439deca2451b5dede58f3f6f6
SHA1 229b0c84b63fec9069b43898ababdc544ec59afc
SHA256 fe484578d9760ac5d9adea75e71037830c409fdc880f86143e5dab97e4f246d4
SHA512 21dc3524c45c45f2038427ab1a93f95f56c9c7c8f1967b06cf8a70567c87a0b1d20ff8b97b55516f073b72f4c858a181f460e4a8818606592d280a37e10de016

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 2389e5875d5f0bdbd5cd5422bd2b59e5
SHA1 49fe1675713347fa9ac14e49dd2f88a78c6ec23f
SHA256 cc219f57525d5229fca5f67591c8d1f1bf51673416b416ce49b203308570cdce
SHA512 d33e2e28cd79e35b5db2ee44cf3443be1221a7c7bd357df4f352457ee27607c151219b4b8fbedca41198b9e9b3586c2c152bffbe0174f97c8e37b93087e0c503

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 bf27d4681461bfa2d651969360b44837
SHA1 8f14ce581d7f04e82da88910c237b7e552e44f7b
SHA256 38c9e46f52a57edc916a440835e9e97d8b2fd389c99a7f01decc9458e0467a30
SHA512 597c0b669ebe8c61bce85c1b40602fef965f2641dd8b9023b7923d94c837355820b10aba3793dafc80a712dc88e567751e8320ee5f82b206cbdf063bd02d7a73

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 8acbed9afeee27273fdb5fcc708ae913
SHA1 2bb34b5b98514a0927d04cdeca948c04a6c294f7
SHA256 d792e12242480a639e8093dc22a012353baa0b97010b4c2044adb7e69b9f4050
SHA512 3d456d931b6ce845cd5708b2ec520cdc0a1b59d2dc98813060f5ed41d43e12f2fad597ca7db8e23d48c51f8a2649b6640b64472bec6ce9f47f3c27e18c1cf300

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 8c134db8ab2509ba35b3af2a8f8c3150
SHA1 063ed382ede299a76acbc167d44b8ec0361b441c
SHA256 ab189a87a77575840d8be3aa9bea0538432ae9a85d8eb98b8b5ad657fd826f46
SHA512 aa5cbaa31eb38d11c8a48fc5222f54a1f0fc649700f5605387ef163022dbc7a7fed39529982d6de9899d13cdfd482690635ba4be7eccf7b70e555fef9ed70acd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 1d551e9f15c6918d013ef499ebfe285c
SHA1 a795f5157fa3d320c85aa206633afc9bf09fdb57
SHA256 b8d259157635eeb47de972dfab7c8708740d5d7e717f8787ae52da564e2b2815
SHA512 d404b9304dc0749cfaf8ea5f6f1c640c94e246500ed3203f3a0af6b5c61030ce72deeae7ed7b64a824fce8e64bf0744d571f3f80da4b7bdef468424b16814b53

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 fcd8d1dd69ed674b21c44b49bea45989
SHA1 75702aca4b98c23ed53759ae7aa45698f807c582
SHA256 1ab9887302ee079e7b6b40cbac1b6c0c88da74dbcff55b2d49f3ad20e507a360
SHA512 6aeb641ea6ef5e5e4cb00958576c6f2289668d66f00194b14652f56d58779b85c9d0297fd7d1e25fa8ec6118d97a50b5afbd6977dc9b6ca6ed0ad0deeb2cf8e2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 eb9584590dbc596f0aec789c1033cc05
SHA1 799c7cbd6efba10a0c6c9c085447948d3f8dff1e
SHA256 8d96db36abcd7bf6ddcfdffecddd9ea0fb922c506c36a02035a2488c9bf727ab
SHA512 97bbd38d45a2ddd364a0c9abc57fd5064b59f5e054d7b4a8529bd292dd6526bc2b25462087979e813b0d31de22dcef6df7701fedb040a51d2c42ccc5fa3bb7cc

C:\Users\Admin\AppData\Local\Temp\qogq.exe

MD5 e2bcb35fa304c93f97d8923636c2211c
SHA1 46cb5af367cdaa5ef8296625a7f139a897208bf5
SHA256 9fc8f6a3bf1c3cc94e4b29142bfa47cc950de6e503f869a1d01437d88dfe8cf6
SHA512 55b670f538dca8ad692be4eb336f72a32f6aa3a470281fd244662b340f24c78c93bfe548bd0c8fa53dcffdaed2c7a86450f08514cb0fe134aeb2fc77129d27b2

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 37637fa3ca43c80c80a700b383831b7a
SHA1 2ecbe317ba33d39ff494363466984db47402cbc2
SHA256 eebe928a2300f3047ffc4978936eddd565c0f4ee2b290a67e6f180c186f4876b
SHA512 0ae4242a3812c9c4a26bdcfefaedddcfbf09a879fd64564097dc5db70b09df7f13706f0b75bfa359902e1a4307100d4d77a117973dfd219a4f3c435583a884a3

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 fe30359a237f07da56f48239df335eaa
SHA1 f0f75e40a51ff4dad7799fa8e45644626f255bed
SHA256 80611838b747a9eefb8241f97fd0e708939b2d5bdf952fee56b71a9721ed8c7c
SHA512 9ce54f068ed1a1fece21c4671b81443a8211fbb26b65ce6e9061df7cc17391f8df64bbf288710ea70bdef3f3544a21fdc0df34c9c112cceab93869dcee3eb87c

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\cwck.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

memory/2808-673-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2840-674-0x0000000000400000-0x0000000000426000-memory.dmp