Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-b92z1ssepp
Target 2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock
SHA256 a8f2e256df5a6d2517d069cad232eed2cd792b6a6cf0f814084d6d9d5de674b1
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8f2e256df5a6d2517d069cad232eed2cd792b6a6cf0f814084d6d9d5de674b1

Threat Level: Known bad

The file 2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (80) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 01:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 01:51

Reported

2024-10-18 01:54

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\YOsgokcc.exe = "C:\\Users\\Admin\\xoMoIskY\\YOsgokcc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vqEwwwos.exe = "C:\\ProgramData\\qiMsIEMA\\vqEwwwos.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\YOsgokcc.exe = "C:\\Users\\Admin\\xoMoIskY\\YOsgokcc.exe" C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vqEwwwos.exe = "C:\\ProgramData\\qiMsIEMA\\vqEwwwos.exe" C:\ProgramData\qiMsIEMA\vqEwwwos.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\qiMsIEMA\vqEwwwos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A
N/A N/A C:\Users\Admin\xoMoIskY\YOsgokcc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\xoMoIskY\YOsgokcc.exe
PID 3024 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\xoMoIskY\YOsgokcc.exe
PID 3024 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\xoMoIskY\YOsgokcc.exe
PID 3024 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\xoMoIskY\YOsgokcc.exe
PID 3024 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\qiMsIEMA\vqEwwwos.exe
PID 3024 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\qiMsIEMA\vqEwwwos.exe
PID 3024 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\qiMsIEMA\vqEwwwos.exe
PID 3024 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\qiMsIEMA\vqEwwwos.exe
PID 3024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2996 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe"

C:\Users\Admin\xoMoIskY\YOsgokcc.exe

"C:\Users\Admin\xoMoIskY\YOsgokcc.exe"

C:\ProgramData\qiMsIEMA\vqEwwwos.exe

"C:\ProgramData\qiMsIEMA\vqEwwwos.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe

"C:\Windows\Temp\{07A86F4A-0AF0-4E2C-9C8A-97469D2543DB}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.78:80 google.com tcp
GB 172.217.169.78:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/3024-0-0x0000000000400000-0x00000000004B5000-memory.dmp

\Users\Admin\xoMoIskY\YOsgokcc.exe

MD5 24b8e9a9ef419977f2a89e18155c6ef4
SHA1 d72df68449c98d53092ead1b2810f519a94c3f1d
SHA256 fe62e8a846a6755329b920978ffcba9152b450dbdb8698b6b1f7a7b909f5d713
SHA512 1cc8e73d046e51b21db458de3023fd071f724d5017b1c32fd4bf2c1b4e390662f9a52b0e7ba21debc1c638b15d5faeadf99f96bfbf9e5defceb35c94c24a5c10

memory/3024-4-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/3024-10-0x00000000003A0000-0x00000000003BD000-memory.dmp

\ProgramData\qiMsIEMA\vqEwwwos.exe

MD5 d25c7129129e8053e947113539e2e33f
SHA1 1511439c7102cf1c491faea7eba8347770b3ae35
SHA256 aa698c493cabee8ea3ec9487b992987a1314e61b148552a5b686274afe129436
SHA512 2870877ffb7e54d4eb32af0924b103fda3cdfe007bb0b34a339b664468d7b9dcecb0cdb7fc59a576d16be92b9daea208dffdd4a9158d0999436ba56b563f69ee

C:\Users\Admin\AppData\Local\Temp\AUkMAEsQ.bat

MD5 5e8bd8e6cf18247becef9173433f9bdc
SHA1 f588ccfd32bf23f37ed3000aac55bcc547a61c0e
SHA256 12b22b62855168567fdda994d3ed0fe6a3ba1ae1f1180d0ca439717dc5bb6bc5
SHA512 c04b5ba3bc131f2ffd8a6af78463fa54180fcca162c519194bb70e2a39488e2fe3df3931b3238afe35b4b2ec50b4b06c135f2ef47d7d948a6e303b8d46f5af47

memory/1512-23-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3024-21-0x00000000003A0000-0x00000000003BD000-memory.dmp

memory/3024-20-0x00000000003A0000-0x00000000003BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

MD5 a5c028a585ea46a9779d0419efce0be1
SHA1 df5dc74ba102467185ce87a7df8886b3d88addc5
SHA256 a02ae6f47a197c99c4a78ce098698982ae235f03e5f3d8684c93be2bd9a13482
SHA512 46b7f026a0536e2c771dd7cb87459b04c74501ac5753e0945e4dfc9ab210292844f1e5101003e9ba6c75effd84d8f689284a3f28573749828c4b47382107a72c

memory/3024-37-0x0000000000400000-0x00000000004B5000-memory.dmp

\Windows\Temp\{FC59FB89-3825-4D1F-8C6C-987B7A4B7B89}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{FC59FB89-3825-4D1F-8C6C-987B7A4B7B89}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\UwAK.exe

MD5 e6c81cbb596a1927c268b5e36f4be0dc
SHA1 a319aff2edede947c3bcb04c07de1efea81f7fad
SHA256 a5b0728e4318df7f02203f0bebd298896de886807bd10953fd28be1e36d8bbea
SHA512 2e881503e87bb30e49296debe9b1fb041e3f5129d460b1837bf26983c34026c29e867e7c7e85ca88e14d632e9b2683a8959e8139aa77371c56560c0dd5198af3

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\yUgc.exe

MD5 b53ed438a99eb4fc6d74760b96833a50
SHA1 3596c46300091b17f5eccf2512671df239c33a04
SHA256 438226df0077f4c9e882bbc25503d11c8d883efa9155ea795505e1eb861b2b7c
SHA512 5af3350049353ce9b7bab9ab338356d98ec420e5e7e0a05b84c72e7addebee6ac18defc927656abf5d49c555f1416c943c613e6ebb6cbc273de8423b4d72e64a

C:\Users\Admin\AppData\Local\Temp\mAQe.exe

MD5 b5308796a9a94fa13247a273bdb5710c
SHA1 2c9947bc11b4b989b2f039273a5b67759150710c
SHA256 6d80545719a2051ca9ade18272c642a53c3525da4140581180cd2b78ef8b7022
SHA512 942547bb3d3024104041997b7eb11d5899f6c58298a4e42b68696aba23467f9076574a0374b2cefa47dcf580b2669220b8c95a0446bcdebf7afe68066fcbfd7f

C:\Users\Admin\AppData\Local\Temp\OAoQ.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\gsYA.exe

MD5 6d069d6977fbd50630ab2d466b2525d6
SHA1 db7333d4c0c5280057754163941dcdd6d59c76c8
SHA256 a0f6baa13cfef2b2d58c3a27ccb73b1119bcd2e9d6b53e4d592c02a9ce0d0878
SHA512 b8f9bf9947273809168a4fb381e0b1cb745ef80438d13ac714d0a84db5df63d3f0e75053f7c57500694c5d86421dd61958c9c09b8d51ca9834e86e7b91eb80bd

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 1538a519368425564b37ae3ebbd6d312
SHA1 30c123805ba9e8f447e493cbc94b573f03a0568c
SHA256 18f399f0ca945ae456f2d79d7d8e8bdf5a17e98f3e6b69a35788c56f1623dd1e
SHA512 3845b73adb0b9e04a50806fb186c4bbcb7686f27c185f9b2908fbcffdfce5b1d07d0ba940c49fcbab093a3ac5c68c1e8bd8ac910296d76b352b0d67854033bc0

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 0819e88665926bd14a3108565a9e5671
SHA1 4737041809d60037c235696b4d3b62db4ba3f192
SHA256 98bdd7cbfb4c769e3c55251bf600af3624727b7ca22a9834277e1f9896c66eeb
SHA512 e2853e2f961a58235a704955ff4649f3a68cac56b16ad2f799e3a33fec503ca267d9c8e958a19559517c22c4055cb4aff96b700a1e29bace3c415f6081ef2581

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 2aa7d444cf7826012065f35100a5c705
SHA1 0ca9222efa81a8c4b11e16bbde8644d4788eca1b
SHA256 11e9c3038aea93afb6d5ddad02669547ff476e73a47b900603c7dbea752f4672
SHA512 475077ab827895f888ebf22db8bb75f0917eab128ff00947485e3cdb6771a0b502830aba2ff034335c3e7ab021e1289a1d88f6fa20cb8601aeec550e5251a7b5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 e2167b52d54c32dfc6ea38dda20931be
SHA1 198210c0c4c36399294de9a57bc40136137abdf3
SHA256 970b732b2ae135476b6c7e43af8be9fda13166ff58b75cbb996da6f1ee48c23f
SHA512 113524afbfa766e870220c55cd6678e91f527e12587dac77f7ff595b61fe11bd04758299c4095e5fac6ce08fa4e22556e21f03434375c562f84afa8f19956920

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 652c10cc323ac7613ef6e28ff17e95e1
SHA1 ba213655e320f76d46a7d05adc58715eec954288
SHA256 41538a0c6282d8e2795d0f703ac9615c055726cfd0008d665ecd7f096044db11
SHA512 f92eb4739f102ba2ad3757d6e3ebd9aceb4b67767f1675e8787ec92525d4b5104af32a0c0d059807243fb15665e56a2fa6af84692a1e67f46644a645c6990e75

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 d1c81eb6c89e1dab29b5d6d99c9a2fcc
SHA1 1b776bc220830460fd892553ddc4e6382e7e6b55
SHA256 ae9bb05236317156ac369fae51cbf2a4fd301b7e626967b824497aa547bc0f83
SHA512 16a5fc04398e730d1c28dd86148f8ec095693d9a1ec66ed615b8cca325d27385e6c6e9e697b626be1b3e752492c787a1d7bab88646f08e2798056ec3b9b61119

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 2f9527dbec3aed961bc0c775eb0b3b17
SHA1 91df889724b935cf4a7db1431fa8201ce76d7778
SHA256 7d04c8b7367d0a98eb66afd0f5dda09cc963d55d7a8773234b22b268850a044c
SHA512 043b5c7235b9f01908fa8e7ea84784c3cc1060b9f306dc9efa012e5c020453764eb019f3d68ab249c78c3dc2faae91942216df3d22c3e556756327d00b5b714f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 157216e7f9e70aa430dfe58976354da6
SHA1 f9f6a6fa345e8927c169a8a4273f38a90227155e
SHA256 6b5adafcb06968a176d3bf9385d686a733b8fbc98a0da7262f68b080f5a56f67
SHA512 38cb5c67d52476b674dad7ecbcaa8dcedd60011c210fd60b1ea7f29e8c84c800c54a6c1ef7125c7f88c0cfd9c360aa55f10b63daeb93b70c31885ec099c46727

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 4be9fe84abc31a8f17a836f6a92e511d
SHA1 db867d08cfafbc945295630c6637fb96799e9a39
SHA256 7fdc315a2d9bd5549baedf8f419d98bdb4e24113b6537a375d08ee75da04485a
SHA512 e58990ce8bd2956d5ac944d083fa0518f75e67bd729c111c135ccafd5a4d428887497616e43313e0ef92fa54ddb89194d3b91c6ebdeb366bf9b95f24d150ae5a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 0f20fc87c77e02fbcbee8a8419ffb24a
SHA1 b95766ef4a472450f5fe0ca559a59a097321c293
SHA256 9c4f607dfce2f98f845c546b9e0e0034bafe21685eeba20aab664c71f3703a85
SHA512 3092b942c2527be1a5031b0b34badd4adc39ccadc0ee4c1509bc7cb3b47039a96d3c9cdd5e5294b3809f0f464837abadcdfacfdf42fd401a1c803cc6138fb091

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 5e248685a21a6bdb9d0553ce2cc3afc6
SHA1 9e9b264f46db4c9d15c8d36005bf4792fa5e2fa6
SHA256 610fdf589bba433c9f411f2f3011c5c025ac5b82e7f60a7ec4b2a9e8c1b95c8c
SHA512 25ed2e3ec209b3a766186c1c2d309dfa901e5667555f1812c16462ea95766ab45ec130d60e44f538ec2ce2a6bb62974762b4f95c8471d4e81c817f2638149889

C:\Users\Admin\AppData\Local\Temp\Qkss.exe

MD5 43f85824e1162a112e67c3e3d64a0f5b
SHA1 e050fd16bfbe0bb1bc2f237b247428647bb9e844
SHA256 c7680150ee7c83bc42d811dfd9ab89e6982563c67193b2d564d505bb73826fb9
SHA512 c0c681beb99a5ddfa02de3c0d426ca63f3f56b4e9fe6d8c9b90416cf172b9f336c33293eaba86733f8f50299ab1550110f0712ebac30eac8decf7a0e70cb9d3b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 c39a14c59ab26e1fa8d7fba7f5b6fba7
SHA1 e2e567f6f64e5a84fcd618416388170ae6b92e5d
SHA256 f957bd1d5e87605e3fd1927a68ba01dd30037313113bb0d7b20b99893f020dce
SHA512 e38492b4f29890f24fdfea3a2f8dd27aa198b02a219c09a607d1c3bf2789f14688ce1026c73f1140b2f5726e32ef585f7a42b74cd413f2d9495c5ef0cbbb376f

C:\Users\Admin\AppData\Local\Temp\qgcA.exe

MD5 593c9458d56652d6644312927aeec07b
SHA1 028f0c94b89cba222cba325c7ada24058638e065
SHA256 7bf7e8e6c705d93f5005a2fa79c58aa5ac57c01316afc57d60d541750e5351a9
SHA512 0b1da918cc35d5a30e6d160c26fc336256cd50dcd77fd9906a1fa099082c1f357beb4481f31efd6ec1972e84db091f442cf1f0f53f46ee3277a0fe3c4111c2c7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 e4fe1e6f424d1fedc0ae8cbfebab6c03
SHA1 879765766aca93cbc3d3468832f28e28c77586e2
SHA256 6938ae8e67bff09a77f6cd033b7bc02e2ab45d5fc5a2a538030dd8a566a4647f
SHA512 aa07e6c5f9f53f829796dee3ee618ef30a6822eb5063e63d2929941e5236f496bbf2be1fe1284251cb3e70ee27d53a7862a2851cd55428a5d644576eca8db9de

C:\Users\Admin\AppData\Local\Temp\asIU.exe

MD5 89f4214b484d1f5d5a05733edd33f2c2
SHA1 05a4d4a7dec068776d77494a8cac9a372ba7547b
SHA256 8bb309794d3b0eda314515cf58b6b756d7b860a5929bf22752eaf5ff0029a7d7
SHA512 95aa7f4c772c265cae35b72c49f58a1eff765205c87b1f51b7c928dd4b90d45542e4126d13b91907ac54c304bac1f185473bb3ea1555d7fcb725444473ce721e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 8bd98e2c2857fd9189283e35ec58bd67
SHA1 0696793e52bc830daadbcca30449cda87e78ec44
SHA256 b8a7c0b7c7ce4d0480a6445a70cfc5a6ae3de15eb0a0cba6bd78c4a073dc8126
SHA512 4513cba681eaa252c4ffe85640fd2015be5c8fb1b868fafa9a3239e1b83c68eab7fe49e08e50cea26a5013d8f4d7a668704908bb99d4901be9fa404a654a5f08

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 3b724ab5da681bc715bb9ab7900ce3f9
SHA1 0f3330816304f16c2d747d1b26ca3b3d5e69fcb4
SHA256 c1027e9cf0597591a2dd9fdbba9d175d344f0783a4a40335dba08d16a02b6959
SHA512 6c1c14b2bd90e4583fb84b0fdd79199e0671330791eea388899c54a44194c26b64fe1ef64495974a50b91eaafec3006bfe70526025f45d29e04a2c0cefdd0614

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 55839a30bf45222442189dba2ed872d9
SHA1 9d2faa7edb2c0b7ac18a2dc598a2407b494ffc8a
SHA256 f6ab7c57bfc459e02e91397748d8133232ece0018564181d8ed9895a51a4ad33
SHA512 2ff54af03908ffed35b015c18847c15bfda5502fd10ff239769654687254b938cf20f60c467db51929af6d9df5807399f50cad6b147006d71809ce0fd00c30f1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 ff6e97116ee1b481b64e2976106d4882
SHA1 d24555c6a659280fd90e5d057e9604f84fc611e8
SHA256 88dc7a0fba5afbf7243c28ba026ebd8f4f7e57eaed5b1fcb4c95b4e876b1c67c
SHA512 58de543a3c152ab938790d5edb21e8fc354dd29d8022c5590f272ffed194f9c8b4559e4c0858c913745c391fe7403a22391d83b0d241e0f318c7932235faf1f2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 8399a7c1a806f5c746f75344ba5edc34
SHA1 365adb48d1e0c0abe80508bdb6ca909c4a87d69b
SHA256 d5de1fb3e7e16556691f89a3a0f4031b6bad278591a78e9ec50eac3e18713337
SHA512 10affafbaf1ea20d492ad9bd12b387438da0a8e62ecbce84aeeab8d8090f3807e5fd3e06b9a3ea0791ad7dccaf81b06706bbeedd1d0427be6565ba240cf4f229

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 83dc710ceeb4044456c25d73ddca6a53
SHA1 a06869046f3fc01750e9ca40c710609c926b7004
SHA256 64f2afe03ac4681bd56b4b92a87c42706213de7e5d2c481cc433c6777edcab54
SHA512 dd8c9f2e4bb2577ce0a2adb72bb27052523f6d0a43a74e58000880f8fc1360a9d91ccf28f80d654377999dea5b0bfb25ea48f979457d64f02c3c4ba7abd23505

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 7442b8a5b4d6d8c198d3321f88766c0d
SHA1 ba20fce71a90caae51ac0d9ec5a44f1f59cbefc1
SHA256 7de827d57f94154ac164e834e9af311a97ecfd1ce44f40b3e026c270ac504ac0
SHA512 bc65996ccb3dede415828938462974b65d4def005c653567f271a9f2e016b159c55b7d79d8656df61a54fd1cb35b51cb46b6a2ae39d1e43e2860671a165e847b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 bbeaf6328fd91d63a06c1fae4c49c9e3
SHA1 38d1f89b6b6fce110b795f042824b4ceff182fed
SHA256 7ab1085b5b8c53bbbf6859c9347c59690766dfb9ab655df7720fe5085651041b
SHA512 f4d5665950656989f7d00d136ad2a85ed01943a8f4881e6fd753a855ed770eb9982ba6767bdbca0c96693b0baec50eeb177d7439f0364c808b2b810bc6a0e61d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 eafdfe4b3b9d22b00a53048d37dfe805
SHA1 0395506d1c9bdad719053ff21e8c5d327ef4f8f3
SHA256 5fb485ed17dcfa3a2b9dc422c41772748f86f1068f1a79f22cf13e7935e88942
SHA512 94ebd68a6c066260c3f383c26e6da68ce24f1ca11f652236160327ebf51840cfddb2c95745807616001fb2581a27e6cf16a7a5e55e6227f1705b0fdf14a12f3d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 c904b5fa6af7e9cf937bdf26fa95dd7e
SHA1 3735ff9541cbc15589a682425daab437109298cc
SHA256 b54e0fc952271236a31851cdc0a8f21cd3e3864ef6ec907b48e1f79949ff7f4a
SHA512 38e265ebef04b4c0c1583c705ac428268fd5acdab31241e0c75a06c14dd601d6f4866e64b3eb7dcfbce773c86ed0ecc4f75f68536921877b336fe4ed43857a7b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 2a587e036e45eca1dc233f6e8cadcbc9
SHA1 afded0725efcb9ae7dbcd2913f32e71a7af0485b
SHA256 7c39f4d3c48807de64baef1348816e1c98c68703b4470a14ed4c9533a7aa7a28
SHA512 3c873aa4a2cadea4d290d599b4a120fa57b1762728163d799d0958d5096fcbb1ad94e7f5014743da7873ad714c4abf81ab124853b170555157d5333832bb236c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 ba1974de7464d78ae6262d2c61c9510a
SHA1 1a5833093c01228137e01aeb9d24b71a8ce53154
SHA256 c4eaab85e5a4917f0d44f752195253f770db38ef59d2ff3e7f30ec5cf5e0aedd
SHA512 dbc9c1425106494f6fc73dc0a99776d06cd0784f4a02495586fcde080d83e5d40ac1cc1856945bff943d457bbd7abd46bc8873e162124b64239040081b75008d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 d0e1834892963c49bf7b9a29423016a2
SHA1 43cbc54f673c59054f7a12f6d7a1bcd08b8fc296
SHA256 f8a950a6da4e815f8289afd2ac9a1e4e78f1b9f95856df2ef722ef7424958197
SHA512 27b8fe7a94b029ad889b206c12aabafea9d99ea22f3ecfc2ab40e56b8bddca2f384b5213fa9fd7079872774e8a0c35b149236f9e0093fbdc1a97975b4dd6b39c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 e1cbea62363db51f9ff104dd5840e374
SHA1 1e1af13cbb7e502df1580738c167b5074c1308a7
SHA256 5c9e46bf07c2025543f4247e2b191e504f3b1baced18e7190047b9e1f7623d09
SHA512 fc67f2afd98bee0a1b9513147242ee5684fe0b439b385bdb178434296cf20160c2d6603a59640a1696406bcf4fd30783b0200e1f66691b56dd11ebca2d62eb39

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 a0a50d96bf0155694c9807fdf3a784a3
SHA1 ed5a63a497b217ac66facbef5efe60c447bbf4c4
SHA256 b69d2d6f88e0de01aa41b7b28441a7805e0d3213e9b5d6f736e72b4f74e20e7b
SHA512 fec11635139f483ea31e4d0283f7b89e2870229e1ff97ebea5a39908fa0aab3b13f5f6cab204f34d9bfe2e8043b681530a83c1a1c48e9a7c5c5d89c92f53321f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 65329c83d90bab822b68d3727bfa148d
SHA1 da4db261db53efe7d392381d411819785e230d0d
SHA256 094d6b28fd19b9dbeeaa9bb557f2bb028eff9065c180925a3138b0660afe7917
SHA512 f10d93699155d2c87c935ea36daf796f19d53fbe798d3a68d53e31454946431a7d102e329fd11e0ad5d34fa47ce5a11973a482a7231c2c67eef5760d25ab3f69

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 d5374ca531d10fcc294c5965d019bd2d
SHA1 3b79f6ac214dd98d7ab351d31304abd6eea256f3
SHA256 8e0e9632f25ca7976e05a1df0099cae29bb417fd5e5d8affe497e05cd8645ff1
SHA512 d25245aec204bd8ca3501923f2fdf7acfe70b377bcead765eb02a6e0dd1705a587650a0f343b3c3169c9c1f8d9b332a501d842a244a1f5c2c68f3cec43ac4124

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 e1b4588b04e0907b43c1bc092f772637
SHA1 52f3a6f9f0936c5e17f404a6d1a398d9424566ae
SHA256 331fa81e951478928e450a9bdb109180b330995e060afa8df8ff7018fedb7303
SHA512 79fbb1bc93b1d9ba212bff2f1baadc5810d7a6a79e5fa00efef04cffec41b60fdbb3a917aa0b9abf78ebc12b2ecdada29b18b3e8bb7965890b2546d2ebca2ab0

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 7203104a447e3b092d63cef80c4864d1
SHA1 d9416a7495b6f5b8ebc3271ca3fe77beb6bb0496
SHA256 b9f7282bb38d94cdd2acb9e15d8d6b117d26b578bf37af9d021f97af7388317e
SHA512 f0bb1bb1c9068423a89400f1316c93ffca077f0cd5cd8c040735e4e802298fa94b61b37a7ccef81bba929c388b693c43217d3add7d953fc266c24de941541d32

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\Users\Admin\AppData\Local\Temp\CIIK.exe

MD5 e89b779ff9db3f96016fb2128da17814
SHA1 d95e297ea6240ee5d6d06dbebbe2198046ec6f77
SHA256 d04c5db8c8278d937589a1dd7d3345e698a01049e15cb678813414ecb58885f8
SHA512 d2c9f3a4e4fed61ac5de000a0b4d07adb31563f8d372d3b2035a71acb676c00c5986514bc0322cae0861ce55df5859bae7d096ca40fb5732a07d2737cb101cef

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\qMoe.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\KIUM.exe

MD5 126467ac1bce3c1964934ba96258b254
SHA1 3ab3377365704fdbb8587eb5bfbcb2bec7235121
SHA256 dedbaaa9076c316807985d6457749c95b5e298f58a0fff72f71a890ffb0e1dd7
SHA512 51f0c2c5dd6dd0234145c920406750bd2b80d42c9a5532eafecfda8f4b334ee70d9fd2b9ee694f6416df4c0c3da05556a6479020ecad179d1a134da464e70b59

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\yskw.exe

MD5 1bcfa4192ab5364772145944cfb06110
SHA1 6a157d24e2f385fe5ec788f0e851a9acd9211182
SHA256 7488bd3e425a7f1d18594e2a161248189fddf6ed841e0256c88d22f3463af396
SHA512 c781d3c7cee1746ec44caa05490d80eca3b69576a4502531e7399929a40e8420320d4da96cf770aea7e0028febb8cb0dc0ae3a65a6125461c96a7f88c4d9aa82

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\iUUY.exe

MD5 868ea21c0fb405e9be80d43a3547eaa7
SHA1 adeeceec918ff2d30be0ac6ed71fbdfeeab6ee24
SHA256 13238284022600f4f05a612700aa75dba5561cc2802217910f3e518deadb8c13
SHA512 6c12cb3bc6346eb7372c53ec6d11b79473889ce99f028f9dcbdc460338822d1253ff9261d94a851f0bf96aa3af06b35cd7248df0a97ef70abdd3264deda9ece7

C:\Users\Admin\AppData\Local\Temp\aUkG.exe

MD5 77118ba692ba2091f5acd80e55726b0b
SHA1 a15182c21de932a9e1c81887ee6f90ee2ff3eb15
SHA256 95499edef0fb3c27f9b7f31181b90172bdcf2ed6a990baf19894da69f6266347
SHA512 310de32b50ab8c048f3bc3a388ab10fa6b4d957b975bb6a61126b006f3043cf2bc56f27029e8d44de748a9df0d3088dbe8d6cb802d17063ad1aa7fcadaf3f32a

C:\Users\Admin\AppData\Local\Temp\WQUY.exe

MD5 e8b448ce492fcd32b2fa4db51f370bdb
SHA1 95edd88aa9b6698893761a2ebbeb70cf2379f136
SHA256 4532b77367bcd290145f6ff9f81f5da66ced638076d39889fa8687d033f7eed2
SHA512 047c1b0942fd053857766bf36b68f4fa0e95081b5c5d82d671a3acbb24086cbbe8831c9dde8c339c4ea56a5f88e17289160bfdcb22472d3806b03a32a383ef9e

C:\Users\Admin\AppData\Local\Temp\yIEM.exe

MD5 6c6cc9ac540dc4627532f4e22e44da70
SHA1 062ea44859e35215d5d971cdf5c8063120f0049b
SHA256 531437278df9eabeabfa282723a897f2acfdbf83cf554a37cd6703d97e04e819
SHA512 7e78f70a055eca08cf4794189803f1a3bfd53e41015bf414e2790588aa7f0d6a00e6fc8f7155912e0c4507502cc441cc47b224405f9e010789c1e0b15182b250

C:\Users\Admin\AppData\Local\Temp\SQwE.exe

MD5 d3031d3b4149fa31d4bf77436e9ed267
SHA1 68165dcb328970dcd70afc231a48d320408b535c
SHA256 c757ae28d1dba60b5b12edeca5357b10ffdf8f266a17dbb19e7b586ffd4fc657
SHA512 dc5fe49460932c55e05bfa197c780527d19a56e68e7d16d14941da2dc65e9da339d5bb64ee535837567183db7c0f56bd4e4d608c7e20e68307a533b6fe3331cb

C:\Users\Admin\AppData\Local\Temp\acQy.exe

MD5 91a1c06a7fb7122c4401dab8b1ea3a95
SHA1 0abfea281486eeb8151073b74886f644d32ad557
SHA256 2a3c3021444844a863afe222e156de352b2d68c1ee891d07716143eb59618f57
SHA512 9af0f5e74ed3f8de86bd3cb945619b6cd0ef0c2c0cbdf87a4528608d2965258ffa2f00c87c90f107a92885155288f3033f068b245af4af3dab689a22f5369794

C:\Users\Admin\Documents\AssertGroup.doc.exe

MD5 aa74d564fc457e54c1a454c59bdbb17d
SHA1 1602009796327386f8395ee6b0c74bc5589d3c81
SHA256 7a8f11c0f71f0c7dd5de9f3e6fbdeee4a9bed73ff38fb71839476eaf17b780f0
SHA512 c9d02747876bfc39246939b1145c44a439145eeeb565ccd434a16231e4094a1fbc80ba8e4ebef31ef557dfead392461c2fac262ace1e60ab9305a6a11f007ced

C:\Users\Admin\AppData\Local\Temp\CcgG.exe

MD5 4a27d3f385c2fc991a86ee5a0d97f3d9
SHA1 0a9b6a88857c0d528d67c6d215f2e15a24b92ee0
SHA256 40686efb988913b1ab65b532bfbfbe45bf28686935c9e693d4ffa622933ef568
SHA512 4622b0ef6a49a2d5715932a0c84f941efee5c8ab6f2db0d62fd3f8d64295953708fd4496cdbca144e353237d0110ae3cdf3502faef4d4037382e759b46f99989

C:\Users\Admin\AppData\Local\Temp\YEYK.exe

MD5 c6472dc2ec6779f3fff6e0c33568fa1b
SHA1 519879be791652ac91b7f1adb69f0251bbd64afb
SHA256 1f241918392c1535128b174769a0e8f91195db85c4299d5825cbec7d790c8431
SHA512 d8123404327e53236e8f920c4a9d22a1a7181e91bdd8454c1402829165c30bf03f9850aa33f95a770a99d7176b30156bd6235a208e21a7bda783edb9752d3e4d

C:\Users\Admin\Music\CompleteEnable.wma.exe

MD5 5388eb5f6d8f2d07f7fb178461e61b9a
SHA1 fb36cd49ad6b17f8d3f718eca5c5bf6a29d1b168
SHA256 fdb3cd7804acf474c90c8debd8947aa50ebe79adda803f6d4fc5cac395bd7689
SHA512 5fdc47592d412c67d39876a07d3b359c64e1a63381fca7d0aeb75970d559e677253a76345928192248dd39023afeae4b9b3bb5c4de04f7d557e277a8150ab13a

C:\Users\Admin\AppData\Local\Temp\WgEW.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\Music\DebugSelect.doc.exe

MD5 b28cd2ced2afdd7843dc3fd1c692d400
SHA1 3ccbc31e118dafb5c620ae2f3b845d7b0cbdfc03
SHA256 51262f33f4fba27031c75f1682d70d747ca7e01e3d992e673ffe2db392305899
SHA512 323ff897fbfd9700f35b36018e5b8da414f8fd417a06b230bbab850ec16835ada486c799c19a4722daaa5b06cd431083ab00ca6d4e8a09facbcc13e3e75607fa

C:\Users\Admin\AppData\Local\Temp\isAI.exe

MD5 5e95957c01a9112b373a0d43804fe5cd
SHA1 e01952377fa76272ae37ad7d2332eec9bb75a5fe
SHA256 20ebf591cbbfa7e0f043e533ed1633060575f006223c4a42f482f4c562e12553
SHA512 ed1cb64fee78d02e966e315d49e009daaa7da27f47d3165bfc110a94c7d9c5242e4d3e5307e3390476ed92a7c3be3b04a453e9f90c0061314605e1621288b2d4

C:\Users\Admin\AppData\Local\Temp\CkUQ.exe

MD5 203d2a991135015480976f6944954937
SHA1 53940c4531e18f20ab7d4ea1a59db9c5c77e11d6
SHA256 a2e64cc762466adb910954c873a1cd511fab7a31002ec2c8e608c4476236625d
SHA512 23626f115119ec480e2a33f3ba52d01a2b260ac5f5e2ae89f7c53e0b769f70fbc6620455b4051c5c6b0060763f456db26a7c247ead097c954893f84db0b28e0a

C:\Users\Admin\AppData\Local\Temp\UQIE.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Music\TestWatch.pdf.exe

MD5 ce598cbe998e120e9e0e90c61890c7f1
SHA1 b615c158b88c85556a6bbc58e29d428059da60bb
SHA256 676977979da9459e55e0b4986fb24aa7c09bfa7b5fc61ab63743e936fe1c1311
SHA512 91a5ee425e0c1b10a61265ea3c06fc54a7776289efb82085613062cd79c71328d9ea35f63a2baa3c4f45f655f24a097645607fc8e5370b3fc24d45cf20399da9

C:\Users\Admin\AppData\Local\Temp\mwEm.exe

MD5 e2a37c88d2de0f6821b5617a7b8d13e5
SHA1 e2aec7154261f426df0333fddc5355730ecd78b2
SHA256 0ebd5dbcc61696b654b79cbc93675d331d5298798fc0238279fcf58f7e6f4c35
SHA512 1ed32d4b65108ea4cf6a8f63b4f5a58c6167793e5f3957f85995abf99bdcd47e23e081bbb9241e9e710f8f79f076abc8cf119600044c9d7cefa9aafb3eba8bff

C:\Users\Admin\AppData\Local\Temp\WQso.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\wIgQ.exe

MD5 e19a7b18469be2afd6469e80fbad712f
SHA1 7dd737d51f1b3b042f6268f6612ce6c3e0b6b80a
SHA256 3295548a8d89ed90b46da0f0b3dc89683ebfc6d9ac8b6f6d12e73f140a1bbba8
SHA512 017f026fbfb3d39e142ff0e85c5b73038deec7519379f59b27a1acd4f004b527515e5907640b3f34654b1c78ca49bfe138d0dd98c1877795ab729d67e7fa5b32

C:\Users\Admin\AppData\Local\Temp\AwwE.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\mAgw.exe

MD5 3e1e98bacc7b87e621213fc148d30644
SHA1 a18fa5b9c9d4ef0a62ddd34a65c81c043e39aa5b
SHA256 f13879eead8e46fff24418c4d1e7944dcc5964570373dbaac1ed0f9f74afbd2a
SHA512 170dd44e782a9b1dcac6a73f21d00c3c3bcdb945f53e301ac4e5b44efcc278817fa0e6e923567034334328fa8c35b637897600dddef1bbbe3cafcdf36c96ea07

C:\Users\Admin\Pictures\StopNew.gif.exe

MD5 913b46085a6bf1875253bf5dd65a734a
SHA1 4a19ea003ce49abb3c287e01a801305ff80fb4ee
SHA256 b7af1dedc71c8ebe9073426ac27667f7c41844f9ed3bb5d1a6b67baca6387e23
SHA512 04015eee38b83be83b156165661923089b3bf1d83affc608d79c653b58fd4dcdfafa0ebdb456bb86689014c802c4a0ebae4f827afa42620d2e3da0328cdbfea0

C:\Users\Admin\Pictures\SyncPublish.jpg.exe

MD5 5df115577a73e02f12962078a2e3aed2
SHA1 827207be9a64aed089506e2b8ff05a958a9e2be7
SHA256 f14fedcefd8a5c343abfaaf9e21b871cab6de18357b34a270b17d63010c4fb51
SHA512 751bac16f9c6ab208268e623dbad27761d220b2a6e637e9c5d592573fa5f32d88e1a563aaa005a012761e006704d10c3b41e500cc0d563ed4857f736f6de9fa3

C:\Users\Admin\Pictures\WaitRequest.jpg.exe

MD5 41277eda9450b95558bc32fbe0c537c8
SHA1 f3cee0ba84c86f57823afa7f1260e6b017a24d69
SHA256 65a69d9d041bd66840f2bff7f02ee6b04ccb6a45ed5307b9ecadafdf27cb4ac5
SHA512 41229a15d38531f20b68b56ac552e76c9c3215b9d995a5045d7a5a0ff94c5e058914009f1de5b63aca13f7a2c8e6008e8676a808fd9159314b3240a5eb360c11

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 bdceab4fe7346052c661c3ecd17e57be
SHA1 b0cb8d53da11d90ece6fe434faa39159bee325c1
SHA256 9014ede4d44db2dd8f1164422ae218247adf307ebc3a056f5b627476a7ccf843
SHA512 4aedb47ed6a63753b9830eadf05b5ac947920ce4f5ed0dc0a5fdc94d8dd89596bb496672fb1339ed678ace378b022f06b95f31345352fb58b2fdaca285e97799

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 d3e7a514cd1b13ecb1710a7086de21d3
SHA1 fe5fd260d7a64b7b979ccbe2c41d148848c803a8
SHA256 51272b69e5fa808ee3eef0cc660b811ada7aaee75d54889bbc2a25f93b8e69fd
SHA512 8e0c51fac5876e796c20fb405479b4ae900741e1aa3c9f1a6c8b053bfcfc49561773b37e0f7e09732ecdb0ade07b943691f53a49ef6374231e398b065f2c7b0a

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 01512bd3132c6501a1466a160011fbbb
SHA1 c7070cc2677917cdac05b3bef96ffef7a42d6e17
SHA256 404a904ba1da49a9b23957752b43a7368bd1330e8a48c2dea5f16cdcfefd4efc
SHA512 40725d1cfc22451422b8fd750a920af7f7c84e978e665c92ad1b2db648a508d922cdc99e15797767c8c46fdbfe5b399f56012887922f68257e66586f9a08c357

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 1430a7d5aa073d97faec45372b3bb4d1
SHA1 00088e821d19c27dc850e853dcc75d03edc0f17c
SHA256 0e85233a5364af7d734382bfbf09a496188608fcb37de8161ac7329aa50a1f35
SHA512 a7d69e47437dc0e46acf73ec23a869e855980a6fc885d653aa870cfd2718f673b0ecc5f7564dc87f73e32646372f0391aa567aba2ef927f0e5480c0b073c96a9

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 4bc0824db01ee3e8672c3a1da0335384
SHA1 3bba315b4c6265b0ecbf45bff5026be5ae8dc464
SHA256 e9cde12c26a04b2bcc233fe4bd5d62a0ddbc77516211eeaae060cfa83c342828
SHA512 31f0c1046c49d9f427251e90d73e9665f82c44d4e764ca7843acf0b0ebd8187433a22215603024d2ecffcbea0312a20877fea31daca2c592b7beb1fe51583134

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 8bc582cd826de0ad7490105d53751a84
SHA1 d11691f63a85a6324592160b4c3a572ae46585e8
SHA256 0c3d734625978b276c4af0feef6765526455d539906880d42c948a5c2e66c5fe
SHA512 7739c168bbe60b748c05357dc78161dfda4a45a8cc88fbeb445774abddbf538c09902e2dd8e8999a2d6896ee47cbaf0f77964adaf7e037ff9a85d760f374e863

C:\Users\Admin\AppData\Local\Temp\mQQc.exe

MD5 d6ccb4a809fcb69649f20b407ddba687
SHA1 b4cc1a51548c31445969344790e5976f483c5f45
SHA256 f3e1e5d98ef94295c993747cd6a89e9212bf846ac8419df9fb5750f5f1b18f5c
SHA512 112e3578cdfab059432324a91a9f875f4b7070971b8d0ba807f1dc87e93136cf65d34a6ebba67ae87a6dacd36375119755ee1d7ac3f14b58bfb97b0a9725e114

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 5f961c1a43dca049adbd7b48da21e7ea
SHA1 cfffc4cfbaa18415e719a061ae1a2e32fba661da
SHA256 c81cd798ae0126ee629452be5657dbcd85c8e55f42c6b4d962fbb08e438644c0
SHA512 a33990c580d9f89ad8017903eed3b741ea65b23231914d68968016a67212218662f2f225be74f62b5a57d3464af93dfee6ecca3389c9b89ee9e3e2bea0568f2d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 795ec9646fd572cc79cec7b45dbec3ee
SHA1 a4949cec210a8b399f08565597719c5f661f7565
SHA256 efe00b90eafd4a8461224938b03b18085aa500104ec06e05bd65ac15f24684dd
SHA512 066b605a2dd7f3b5c30dcd8b134221031aa5d6180d149a0a74c571ba8fdb9475442bee8c4fb629ab78c0ed3425c123682acae068fa560b0fa79ce1cbbce32f82

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 16a6e7ddec7a6c07aab7441eae1536b0
SHA1 7ce8d99e9cdf2a5c1346fd5bad82b1070ca388b8
SHA256 d56cd7c64bb56f97d0702eb90f0760193e78462cd05e4c698582f428eb3f0619
SHA512 6b54f8bd35cb8710382cc6ac2d477203e69e3ebe8c2b7f49d823c00380817fe6d5119eba75dd6e1a4f1602d872151383001630404b2fda25a871f6452d1bc0f4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 8613c0359eb5c94f6c8bb1b23eed305e
SHA1 91b40a4d1a419101f15ecc704e111d0dd5d17f1f
SHA256 feb4e1aec9595660c174381c01c953bde97baec9425e2744a04acca47d47faf3
SHA512 736ae86915fc00b9202dc9d415f8b30dec428875de3587099d1ee8c1dfbe23e8c825e112726ea21e136bdf7eab58685a199ea744c7954d8a92bc99f54602c333

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 136f64fd06e076b8e91a7dbf7945ae87
SHA1 109dc075bd3efbd8ea23a4afb2d9a8d56b493d12
SHA256 1469b06043ef51235a5d2212425a912ca0c1d36704463edc1d99c5c67ecf7074
SHA512 6286fa1d4275b09f52d0a7be97c47db79e448cac05062c1c5ebe38f64c22c5b9b581933eb36a115847f254195e2075ed822d42d21e35c0b813bfe82d62ca2b8c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 c4a5ea9075f2bc23aede302113b1ca09
SHA1 2997125916af49ecbf61e5c41d07679a85c434f4
SHA256 358923bbf4226bcc1bf10a599bbba0692909801b83e6c172385b76cfed2ff61b
SHA512 e51a01a0e20353bdb704b4c09439c96cf849e5ff758283c990b0d21f5c491cf62e0deca50d81fd5b662751d0914bdb29dd2be8b7b15fbe2e4f35e99cb8a72055

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 0196663e8d348e98057f0a2cf48559b8
SHA1 9cffbf1f288e012fa43225a7174783e4fd99644a
SHA256 09bdcb292f66d858e04beda3b0e03c1a34e564b08cc93de79d52be7176a090bf
SHA512 fed2e328804cf5a6de452c924956739578c00a1e84cc22222c304b79e5a424801126b2a6d447f114fe489168610f6265b9c7a685c31b04562480e3dacde38094

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 7fb7819dee6e4d9fc8c1fca860409b33
SHA1 0203abbb5b5ae01eac6f7eaf74848528573179a3
SHA256 45df4eb336a60b19ea31db6d2402460edbb4fe34dd90d2516188afa5a2e5bfcd
SHA512 9f0366f7514827ed7f35df373aea1e7bd34a9dc986b6b7a1e0371901eef03ce31d54eba950f9a0c7c53667bfd1be7df243c34e75692bc8382815a931fb5bf00d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 d01c447d1fb83518c115e47ae18437c8
SHA1 096a95653f8135a30476ffab7a57337ee3d09f8b
SHA256 387afc760e55e14cd37462670fd5088b8deeb9af80cbaf4adb33cc2f3a85103e
SHA512 dfb16d7ec041b34a7bfce1509eeb2c69c15d0e9768212d0015f8de7914b5b48c688909377e3c7d342181ab17c7e6d1efb0c00f8efdacf5d6ae9e3e476f6f5df5

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 f5b9943b3d6a72f8a2f4b3b6f69b539b
SHA1 3cd3811679e44e393e0d9936b7f81c5afaa78033
SHA256 a9ae847c1e7a088ffe32821ae707893fdf7b7cae9c6c41db186cb31123698a78
SHA512 5d6de6cfc9d066616d9cb5769ca92f5194177498a8517e78e17a081ca02d397e979db9eef468c9d98d071141d4a57603d20c81fab5940ca4cc0d1f63cf0140ca

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 4b2e141dfb0ad399e109980bbf5e3c6b
SHA1 ab058369084575adc48304cec41c74e3a72691c6
SHA256 908880b697a5d6cdcc0a31a8a4642b4d63e6fd4cbe6a6889980eec78535fbf82
SHA512 a096ddcfaa1029e66be1a9623bd39705be73ca0f9b99a3f939f3929ee821cc3ce04b799b9775be9ade5a06ea338fb7dc0fcf28d74472ecf56160ca889fc85b0b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 63f130ba72acb7457d38053c34d33454
SHA1 8add5683368b6ad6c2da6a5e63d4494a2bb82ec5
SHA256 8e26e41df28d4c9a45441acf884031c07b197c30cf32da5955433c67e3beffaa
SHA512 55df893b0befd5e5648065c2fdd51bd49fccda50ab70baa60d2731590fdbf20cf0507f42e1765f67b61d00a16f70180e573b0d60a66254b97b620ed090fb29bd

C:\Users\Admin\AppData\Local\Temp\QIke.exe

MD5 0c2d0a7104ea432a7e7516ad6881f749
SHA1 bd17b6bdea43b567cf229d4182951c4123be719d
SHA256 d5ee2136a032d82b54020af774e07443fe88f468ee69eb95bb7c08e71362f6a2
SHA512 0001bb17a6722c514aa4b830201d8c82399dae8289b233a1b26b32b01842aa755a57d37a4de9ffe95762befd3427f31aba33678b33f0c3aec39f57024d732a15

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 da54000f24fe9f0f716e0c0c77709bbb
SHA1 89a5f7dcd9c63ee4ab258b44680fc09a8cbcd65d
SHA256 2250880dd6440f7579d245603228b3613fc92f0eecfb4d7c9e7d9b5bee9dc299
SHA512 e29ff059f0338cb5debbe6500f541b6d19579b8c0f875fc81e906ec4326071d6edbaf12076dde64ce13a5ec3a95042b1178632181ec4387743b77cb846d92d15

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 327d57ac039f784bf471ce62cd8fdad6
SHA1 db287a715b83cd89c7e1e88031c405c26d2d2c4d
SHA256 66274634cc8ddb33bb237bab3fdbd10636629de052a59d696b08cd548c1df274
SHA512 1a2f0dcd69217920e6f2932649ecbf188e1d0498aec89ecdc4312cb7239874ce026b6e046bc871c22edfc829aefde4acf63b33defc4ccddbb769bd78abf9da8a

C:\Users\Admin\AppData\Local\Temp\GQoK.exe

MD5 6abb86bef9c438be76cef0ef46d77f20
SHA1 f8bf79a624c4a2a7caae9f22aecf0bce930b8b90
SHA256 1ecc47570fd99fc0141ff9de4e84f2f3d10a8e13da8096b9cfbde770f09dae4f
SHA512 e5a638b2746a6c299a8dd0819dde87706bd24d9f3369d80fac71a915a0856921eb0a324e898a6fdaf19e35cca8890a580193243d050c3396ace5efbe2e047f78

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 0443f8161fc1a501451144dec25fa41b
SHA1 3183a7a2c7a518c67c9c406b07bef4c427e096f8
SHA256 9194912b29d9b1ecf302be3e0eba1adc132571ff4002ba6b87c27956c47bc199
SHA512 98295dc2086e3dfda0be38337972d3e1c33ebe7a68d257f4413947034c685714df569c143513eddc637a25386e20419aab71e224776b90d56da1fae20f863c81

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 1c50e30b63b10f4ab28c0261ad2a2233
SHA1 c8f2eed47bc0d88c3728651bf6eaa9a9a74b86a3
SHA256 f72e28d388087517eec882bf9ffabf1d9bbcaeae42d7b2bdff2380b52336175f
SHA512 91d6f9b01b18cc8f57eb85956590499288e59cc2b051f2d751c2a15fe74208796f62cf47ef0000fdaede36ae0234478af33d169cd372f6ac71e7a8ac42f09a05

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 e14b835c2697c9b770aeab11ac481c39
SHA1 8dad052bf91ecfb3719717110308645bc3fc048f
SHA256 73ea3fbad232c2c674aec9832ef117d398623270a051725a42f69d4b8b56084a
SHA512 3b101bb2d0afc46437303e7c0990cb6740b4b0f4505653729bcddb1c6037ec3f317a470fd91d6f58e52b4438b51fafbab4e97521dc68cb3b46675ac3c6391ed9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 e0a95dc545f3bf220a653e397b4c1015
SHA1 5ed5b95ae1aa44f1158b43cdd947841d801651e4
SHA256 b602c6247d42837cda367493d8f412d2075780bc2fed347a6b57c55e2095e6a2
SHA512 202535b2beee5c8b129a7ac7826379d99230b2ba5edbb5aa7b566c4f9c9733eec54ba12760546332e663586f4fb62e539833b2db727cce6f6e98c5140c23c3b4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 36b49afb0607ec559635c37989f6fcfc
SHA1 d34dc007e623b97dadf9dbada620e25152c9a79d
SHA256 6ecf0bf7482e0378abc82dd3cfee9b5ba09480d9b0dc9c44b110092f68139a6d
SHA512 848a6f96a485986fbe4a00b43cec0f449138c67968753b76a63779e80f72191726c67ce2b499b51362ca7f964f1e4fa6127e450720c11a68d1c8b1e1fa912e6b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 3565d4babfc19fba83199ec2fdbffa6c
SHA1 4fe80487f84b502eee1fa49f5022e39d747f3055
SHA256 cf6a84d46a1affd12d337ffa52a3da319db1b2becfb9c3c6f33df6bf6671bd07
SHA512 23a94784c87c9bc0d4246223f84701f6398f4db49a1a67404c79b105e4a2c99c116270b5b3f247f4628f459ee313e577f93d7f2df912482c1ed04e1384e33a53

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 ea5554b8b026da916a69eef604efee29
SHA1 83e8ec0422f17aa5238833dc0118d7c059f48370
SHA256 03effe701b66a376ff6ee63cad37afc5b80c9d454127ee8826a83f672dc1b480
SHA512 8cdf750f35b44493242e4d164e828b00d7ce50ce7282dde1b515f30401aa18475e7a68995aa9aefe710c8463da69ddb9ad9e381de9436ad2e2b951b9c38864a9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 10cb16e6ee36b966bf95df37df0ee6e2
SHA1 516342737101c9893d1208255a5d3876ef89ed88
SHA256 f3f791aed8eaa2dccfb570f919602ac45ac6a46da3c8ec7d6a2a9c3e89839080
SHA512 1accdd6d8961388d0951e0b527a5c15a9c8bba10626499bb541275493b917a0ae9538e2a70370238dabc26a542ede6c2a004cc77387014015ff7b5d66d776743

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 c996bc38dfc404494f60efba23be6515
SHA1 b11e908f644d9ee2c34a1de252cef8fa860ced7b
SHA256 3e0234596fccc8b1635b3684e39920c609f0c970b055676bfa555a8cb7446371
SHA512 0530a4687dd387dd4a278c904aff5b569fcce8fa8b3d4ce48f17e2ba591e7458f5350ae802441af434a486a7599b93f7d3d1e236f0d4e0284807159bcc8cc2c0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 431e725fb085821648af568d1ab88523
SHA1 c0102924bdee4cdf3a99d09011cee02295c864ce
SHA256 efb9a9eb05cb201b853d6c3689af56ee9e5fc56cd8edc97ae319b669c0cdc8f4
SHA512 2233e246e0e48894f0fd3e52396d8961aedffd205cf973100d7d762660e5f68d957b89215d1d911c33c108b4e2de024ac839b2c49ae8235202957c68f6ae23b8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 c9b8e5761a433cd8d4b88cdf8b57431d
SHA1 4d7062a87b1e100d70102003e33f27c15a2cf498
SHA256 e03ceb04b7df3d8e7ff41c86ba76d3115966635f6e71ec353f1d6354a3096b52
SHA512 2349df38d9de0406391cc8fc55f4bf6f18cffc20607ae1c82e665556cc53db75f90fccb794effbe16901c610c2df819a57fe6bdda53a77d9c2a594d284fbaf28

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 2b56c4f08f298854f1df45ff5752c78f
SHA1 dd517602b9c96a3c270cc8ad1e24478f9c196294
SHA256 f71c31c3f971b928d05bbff8398777c49ee111f690ac9089089374df8e1fc6a7
SHA512 01cfe2e129bf68b7c9f2e0ef604d30dd9c9e2fbacb74603e036ed2a32da03413837d7ce50bc251a52ab8d6527cc553720f7f16a2572567e751e8fc33d438e008

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 999db8e14d18c00802a1afb604a34955
SHA1 ac302e7a68c0733de7b0c0928d069d4139b99541
SHA256 f8c8fb75d1d5bf81d6177aed4e917a79bf8eb9defdd7932898e637af73074b96
SHA512 8ad4ea655ee8a78f669def63420c72303eea9d706860caa0c332980f7e4be8719c5c86d1ea23c01f1feb5f71bada77c0c72392883312e8aaef347bc38b0d7bb0

C:\Users\Admin\AppData\Local\Temp\kwgs.exe

MD5 5cbebcb82f0798454236bd22277a9ead
SHA1 e925c897dfe8f22f0fd02189a5a10807e967ed81
SHA256 9520fe321ac69b25fed2c32fdb35e3515c4e9a17ef8bee60bbb1d44d80ac6fc1
SHA512 03ba2520e4dae02591f2a8dd33d29683592df8a6fbcfedad75437c7428951f443468244483c0b2f6206edfbdcd0afdd141c8b8aff33d26c6cf383a35c9d08145

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 04ff94d247baa87ae34c6bef9e9bfd46
SHA1 61883e0d45a3436141992b3ea5acf4e5dde03e0d
SHA256 6e745dd18bc0cf2918992bdd900ffd5ef22457d7dec9a5a611ea2595d653bd9b
SHA512 8ed82db7a7348d54d231caf7f3067b588d9a557d142b238b0a1ac7be768f1f73432340c4f78ed618a84c7a9313aefb4b6ced45798241b50b879a66c7ea559333

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 19c8c41dd3844260871a676e177f1336
SHA1 6713eadb15428bcc7916bb1b71f4f8a2156b5429
SHA256 8f767f243028a239af99fa598bab645d1392f343793f8b9e6bec24ce455602c7
SHA512 b77fee41f7f78a9fd7a0763b2e6e8f3cdf9bfc6e3d648b2ae6f84e32018318513c53c6990b16ce96d797c981d44ef683665aeb7a79fb2e72c5538c8382621258

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 887dbd3957f88cb410b7d913e816472e
SHA1 4c513aa6a92071be3f098771263765b4c1d87df4
SHA256 03424899340607b36302f2aadefef167a78f9f7157c16095db91d64ac5fe8717
SHA512 68408544586cd21098e34caeeeb32496d224e92d94f2f1199c24015f5460b4d494d721a4ac118bf7ae5208a7342a61e829d35646296841addc5ebce2bb8686fc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 6fb1f35be65363a1121c0f0c7ce2c122
SHA1 a83f39b24eeecceabe5c2032bdb8f988d563ef85
SHA256 3aabcd0d947c5146ef2c157f6efbf27cb2b62b97f42cad1b58c917103fb766d2
SHA512 de3f35e2764665656529c950fababf9705e2f69aabca1e62dd29403e42a66eb84305c1768f65f5a50fe7ef7cd9caedde3f4c53b35f7940b6355dfcce32d7ae04

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 97a99ecdbc6893119a505a4f9b1c42f8
SHA1 5fcea3243383c10522b99fad49e3a16b9f0e522d
SHA256 eebe44e73f9489c0dc605b52d195449ae5d6f4a42a3971b22df91a704bfb266b
SHA512 c9f903d78e51a7f5135c7159166ad77afb117b6cf997e3e9bfdfd235481722a9d692e183a1854cbc76a3c73fc4c28e383cb41249cfcfba2992a210e17d80d4d5

C:\Users\Admin\AppData\Local\Temp\CoIu.exe

MD5 a46383999e8caaae3e2752ffd2ccb4d5
SHA1 d69f4aba343fbc9d79a1079d720dc43f823dd25e
SHA256 69e1467ab8e5241c996f52866c25bbb60132470b0d90ab2aed02c661d6d1d363
SHA512 66163f1ea9148c3b0a762f0b1668bc1059fdcb560c06b75e90aa0f1a7b804b704da1112404042bdd28fc879d052106871b50d538bfc2fcaef4f8130c6231b4bb

C:\Users\Admin\AppData\Local\Temp\cEkO.exe

MD5 cf376e50704047c35e0556024b4aee33
SHA1 95f43443737c96dd511c84a3c8089c7b9473a517
SHA256 3a33262f56c94a443a06c940f4ecaffc1219247659fead536c2da40d0cd08cdc
SHA512 c3e9160c84f66fca818fb7a36711e4610f00d9145f3674f43c3803cad6997caa0deff6b3f3e90044b8f55bc7ed6c2c45892a05315b1db3e27bf4f8a23b6d23ac

C:\Users\Admin\AppData\Local\Temp\UwwG.exe

MD5 1e407614b47183925897aabe329ef12c
SHA1 e9df625088262af63dbd9828bb4cebd63fe42558
SHA256 058a37ac58056a0052c936c81a4be3c9ceaffbfb8b57b4d76d86bc3d93ed822a
SHA512 333523b1997be71fbc593939ff7f090dd05e4cb6c0b4fe4221a6cc5e1d3d156edb628bb6436862d299bbcfb2b10b598ee4c6314685261b178a475edcdbab02c8

C:\Users\Admin\AppData\Local\Temp\GAsu.exe

MD5 3c919cd87a7455d341bbc01f6263cfc3
SHA1 e6bf382a4e75bce54d20d95d99d7bea8fbb0007b
SHA256 017a50671d5fe3b40e62c6d66f3526319ff7d80417e1fa898b67a55843f201d1
SHA512 d7edb2a90635008d79b542142d919b61f3e253a9dd999f4b337ab181685c1f083d721d16a880af54054314bf094b9ed18f6277dc64e64dfe55ce4ea7b70b7648

C:\Users\Admin\AppData\Local\Temp\yEQu.exe

MD5 006e78b0b48c84a816e49603fb27aafd
SHA1 5155dcea5665ef683e29ae793b4a2685d1e85f19
SHA256 74b6e16665864282e1fb20904a2bc92d2acfc1c48bd7e3b82bcefae5e7474485
SHA512 4abaae5a2ee4a70c402e1e9e2b508cb9e11be80fe075ad9374fbb35e0fe751437913db3653ec7b4157cf4a33ee551434c2394da3e418e63f41be69ed76967e64

C:\Users\Admin\AppData\Local\Temp\AUAi.exe

MD5 42fa35039a69cbc1de6416845778cd0b
SHA1 5e8e9ef196ee94c557ecae0f1ba588212fbfef3f
SHA256 c47d488effcd2df71b1ab122299aeb9f3b10c0305f1ac2dd545c780e1ddc0f88
SHA512 40d9f3202a2e35785bc74ac20b6647c5b0550afa50c9228c02811577c5e26a5d91cd2218b9df03949522d12c91531fbc4e1a1176a87027a0c606d59ed89f358a

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 a6134a21f3aa4066f63074dc591cc513
SHA1 98d63f15ff0d222d2259c70eb8dbf95ef41d458a
SHA256 150c6f8c6cbb9f6ea5d63ed7152e73cad008768f9a409b82b74248afdb9ca9eb
SHA512 71a6e8e4faedc0c97dafd2e3063a6b9c0f8d1d7f52d98d9561bf91227bd9faae727d506caa1c6d47c2deaa6f2a03bea1645f1c074b8f14ebf9c81fbfd2353276

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 8f626ebb49bcd4c212b4cc8126d3d031
SHA1 38c279f25599c3e0d2c7bd466b0eea027226cf17
SHA256 4889eb289d0919b4b8c263828b6593edc2c090fcf01465de7b69457e506b71b6
SHA512 5cc9ff21164f6926be5363b5e619f89fa09e90909fbd3d9855851dbd5c90fe174424f8a60232a8e28b31b41c1b7e558b8eba5d35b0f6855c950ca5fc4a2873cb

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 90f005bd8d30902d848e81a9f14b5ffa
SHA1 72f0dd53a45ad63315e5e4fd70f12db49dcbfb91
SHA256 bbf3be232798ce99f4b5669d12bb7a7bf95d834b3cb0baa47515dbb010a4e7e4
SHA512 1f1312ed9aa1ead329517a8d58e421e335a603c49f795b393d93c8e426f03866b7f1e1d305f60abcc4eb55c2b437b06342907e516e5b631e6f4ca23bc96d672e

memory/2880-1960-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1512-1961-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 01:51

Reported

2024-10-18 01:54

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gGMwYMUM.exe = "C:\\Users\\Admin\\cmIYcEAU\\gGMwYMUM.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oAkQEoAo.exe = "C:\\ProgramData\\saEUYcMA\\oAkQEoAo.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oAkQEoAo.exe = "C:\\ProgramData\\saEUYcMA\\oAkQEoAo.exe" C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gGMwYMUM.exe = "C:\\Users\\Admin\\cmIYcEAU\\gGMwYMUM.exe" C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{75064E7B-CBAB-43B6-B3A2-D9C332561D9C}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A
N/A N/A C:\ProgramData\saEUYcMA\oAkQEoAo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe
PID 1932 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe
PID 1932 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe
PID 1932 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\saEUYcMA\oAkQEoAo.exe
PID 1932 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\saEUYcMA\oAkQEoAo.exe
PID 1932 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\ProgramData\saEUYcMA\oAkQEoAo.exe
PID 1932 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1664 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 1664 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 1664 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 860 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{75064E7B-CBAB-43B6-B3A2-D9C332561D9C}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 860 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{75064E7B-CBAB-43B6-B3A2-D9C332561D9C}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe
PID 860 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe C:\Windows\Temp\{75064E7B-CBAB-43B6-B3A2-D9C332561D9C}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_a8720a3bce097f539f5e9edee951522a_virlock.exe"

C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe

"C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe"

C:\ProgramData\saEUYcMA\oAkQEoAo.exe

"C:\ProgramData\saEUYcMA\oAkQEoAo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

C:\Windows\Temp\{75064E7B-CBAB-43B6-B3A2-D9C332561D9C}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe

"C:\Windows\Temp\{75064E7B-CBAB-43B6-B3A2-D9C332561D9C}\.cr\windowsdesktop-runtime-7.0.11-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1932-0-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/964-5-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\cmIYcEAU\gGMwYMUM.exe

MD5 79885dbc6a184379f502a60ea4c9102c
SHA1 fb26212e0363c7f3a8615a232972f990ed4c7d57
SHA256 f812cfbae2032a60a4a13db6a848622025686c6a3ac26913f9cee63f2e40c7f1
SHA512 9f6240c6485bc1a943d227e56d859a8cd8700d63c2d81cb9d715e7c3ff3d4d3fb6261f825ddb2c127a2225b6215113385ac7c5836b7d77de322daf73a7661e1b

C:\ProgramData\saEUYcMA\oAkQEoAo.exe

MD5 727f7805734dadee7989279afe4d2333
SHA1 67e744150ccc58d855360efd10556211ffdfd973
SHA256 9eef9cfe08ea9051afff9a9eeb901498289f03eaee8bac7aaf4ec4f9429d3e63
SHA512 0b565e7b8da6d12d78957a379d4a7b16c3a3b0e1dd55a6985d11153caf116075bae94d93baf2bf66de99298bde3314d4976dac6a4529dbc8433f868d8efab438

memory/212-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1932-17-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.11-win-x64.exe

MD5 a5c028a585ea46a9779d0419efce0be1
SHA1 df5dc74ba102467185ce87a7df8886b3d88addc5
SHA256 a02ae6f47a197c99c4a78ce098698982ae235f03e5f3d8684c93be2bd9a13482
SHA512 46b7f026a0536e2c771dd7cb87459b04c74501ac5753e0945e4dfc9ab210292844f1e5101003e9ba6c75effd84d8f689284a3f28573749828c4b47382107a72c

C:\Windows\Temp\{7782E604-F7F0-4910-B562-76A2F4497911}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{7782E604-F7F0-4910-B562-76A2F4497911}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 e48e63383cbdbf99f5349211b745a301
SHA1 63d83ccd72097b1333410512f2d3014da0dfedba
SHA256 486358069edc7b0d96065b4f4398182df2ba243892563aa77f3c178518181529
SHA512 5fc7177360665078d9367cc545cedd800db0a89fd27768310e9ac3f3e7257f7894b89c1ac3a74055f25b0373bd2eb424b177bf36fdb3370f384fe6576b2105ff

C:\Users\Admin\AppData\Local\Temp\CkYM.exe

MD5 5c6dc62ae0018e20052443c8b8b8a02b
SHA1 569ff2c03dccd0df4f095efdaa9af20587db265f
SHA256 2a5978e0fbc7e0f0d05c2a4a3a38ce748978a9288e3209ec6fdd1bf58e38284c
SHA512 d84f1e857f9c0d9fdd3484e51520a769c3258c32cba21cf44d989423507aa43436b3ee6e268f3d389736434b9ff83e0fbcec650a47dd0b51759825b8d3d9932c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 8209d2cfc2c7284540ccbde3d2c88720
SHA1 65eb6f425cb810061c8673453754d4328befa998
SHA256 7cdb35405257edf4da83380ecb304e76e91074f9a1cc0dc96a39de4990df166d
SHA512 d101151f855644609c1c65108fcd83946e8b72f1c12e12aa91ad937e3c5a57d87306e827fb7ffcad0d9e09befded3f0e507daefc4fb461cc41cb090573e88d48

C:\Users\Admin\AppData\Local\Temp\aosA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\AoQA.exe

MD5 0cd24a43ae826e364d5254f031165328
SHA1 daf24393bfeb2053415af70a97a3385935877fc2
SHA256 67f119cea2651534ae736e7a9718aa50f83a5caf9af9ac26effe1f9d0077d97a
SHA512 c88826e50ffdd2ddf3f84436c528bd7c21fa7cfa44ed816f67940cd05c52b028185e8af500b6fde445754ae083b4353cbe5077d6e71738c10c20bf57d7daf577

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 ce861f07c2d2b8ed53f799da73358603
SHA1 9bebce3034090bf5accd1f2fade0de643d89d475
SHA256 7ca4f7e92e2db3d98b03d9412d4f7c794f09d5958075d8c078647ef2bb4d05fc
SHA512 76af044bcf8b00fe8aa4aa237cb3ac2a2d71a8548d80e35ce3c0707db6f1083739365b2f7855600170a251dc11b44de6e8a81ed82ec4ce0f7e1cdef137414d91

C:\Users\Admin\AppData\Local\Temp\AMYK.exe

MD5 637c253cf8ed1a1856bbcd96ba5e4793
SHA1 c2f2ecfc555d13fb7844adc4deb9866899c819e4
SHA256 a3097ae46778cfe21f679b2518b68e9bd695ca4b2b7eda2488840c9044e85104
SHA512 2fb5a83962293699bfe8f28eba07c748485257b2655d9aff379103e5fc449b6ba529ff4881734164a90377c30947783dc783a8469c7d424662c9cfe491f1acb9

C:\Users\Admin\AppData\Local\Temp\gIsK.exe

MD5 9c59b30f0a9d7000bf955fef9624f4a8
SHA1 68278938f5053409a2c0f6d7b581b54a1d067e4d
SHA256 66fba13b92795c2dcec55b268d893b3ea51ce316f2631e84693b75ffe26d6684
SHA512 d17eb79e0be4ced5ca6f178d2b02c235fd73cef50801a8dc3a17e05b9085471c372b388764cef107cba15a1dd223dc840399b5707d24d32d534974f5b1a312bd

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 7d7660c00fad78c8331ddfc8166fb149
SHA1 cded06591446e348c46035efd87cdaf19acc06f8
SHA256 10a73a05836d91111698f3ebcb41d141c087e4f766b80ed2927e58234c8be25a
SHA512 a25d0b105c19d60233dfd560482e81ac1602f567a340a760aa3d0ad2b8cf3ab1a1fb01540ebca77ed57f02d2bc3ef9ae1f8687bb539a52838adb2b9f976b777f

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 5cc3ad78fcb3724fa84fb0cc194dbb3e
SHA1 259adc5157a0172e1e4a727902a81dcc69446024
SHA256 58258a5d9baebbb76ce0a5556d87c486f03fc17401d27782ffd4001817398303
SHA512 f1911ebfdd32e64865a52b0d24a0c8cf26514bd8381a5efeeafe37903fda799cb330b5bfb1ac338b096babcf7f6aa9943a564745c52111e3b294176d3583bfaf

C:\Users\Admin\AppData\Local\Temp\KgII.exe

MD5 1cc57ce566fbf32a2d32a59d929bc1e7
SHA1 6759e2086d08d6676e3dfca2d4f0260d6d115198
SHA256 ada6e5cac8b3070d2a4e2fc0bba90ffa7dfc6e24b4e52e3c73d21670cf305187
SHA512 34d95458f7b0b1184f883abe2460ccfe7e9ddcce3df3915b963c0b8ce8a9a8deb9c57a51193c55ac877789549d21ef030ac7e7353157339118cffa37c4855ff0

C:\Users\Admin\AppData\Local\Temp\qokg.exe

MD5 66302b44cce0c6df16727a08aa02efd4
SHA1 d87af9db43beb5a89ce94b7afd65e9fbb3e61e57
SHA256 e4fbab966a56f4128ab12d1cfacfcdcfc3c1d1f69cf34a5aabc35d66ec891826
SHA512 c2c161e2630e9ad9a7ae43c96f206eab3957612310412db2889beffc2ce33a4fc732873ac33143dcf9f33ee95512e57c8d7bf40e1560adc64f2572e8e203cafb

C:\Users\Admin\AppData\Local\Temp\Mcwm.exe

MD5 7f7ff83c4c841d9924086b09347fa545
SHA1 b37f5ec3d43861ccc9f16618d71fd896c8ff369e
SHA256 d22d02459d200bc2fcde70e52cdcf9f1e093dbd2908f9fb3a34ac6a508b3032e
SHA512 9c71c2f58eb03a2d882d042d0dd03f5eaa657f40ed29340c36498ac3bd292fa9c5df56c27331aab20a6a8af3f4f0c3d167409ac43d5b73dae08efdd78ef1bc3b

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

MD5 d33859267085ca2abf1d6372296fab55
SHA1 f960f70b9be2b0700de334b03db201d48dbf9014
SHA256 de2e78cfaaacd804ccf2f47f57229d09ad685ea9f735c53a6e396ace09172c16
SHA512 7909dde5223da241f097793addd95a4703f5767a1245c1c3204b019bb3276058881fc1ac8a203325797a7663a71809e6358268e4253c573de5d171c77a1f9748

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 82d43b6e7e6cc005cedbe496531ffc86
SHA1 e2e2981c1835d51d81631e3af3ef453c7be784eb
SHA256 617590a0f15a6e85b06b5367440492a93bdc30516a316f099ede292c08dab8ae
SHA512 ecb57562f0c9a2e5a9f1b151073183d25486dad53d0d5210c8f3b2866af9694283be1761a8c1904b528e7593b4b10ebd964a1a32246d1b09a734805ae5da3b9f

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 c0c775c0b116c2e68ff699a84f0661c9
SHA1 1e13708bdeb54cbd32424131859a04c1eb63b1ba
SHA256 bd72566ba227a9f1b0b5db1ba1789452a37ce8a0f37f62acae726b5bf942fc30
SHA512 30b8bf47db7e287056a7299e2cd05f4a8dc2b3907f43601ba7ef65f858a098609b43a9086ac46ef9f22f30fb4b7d7aedbc1205c6cb216431daf1d87321a3b4bc

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 8628d229774b951087b3c80c86c79515
SHA1 4e297386ec3e56b31e9b77ca4bec8f75343d3c1a
SHA256 4ca9c6e1b2d79836b2ec8d897271e3c62ff42c71fc1a2c37924928a7180a2dbd
SHA512 9df27d7538be26864fa6c1dbcb3fe988631e90b475be887f2c5246b4f57564f619df807f4978f7f8a78eb144ec5554319776ccd0cbdbb85006ef950f018c2561

C:\Users\Admin\AppData\Local\Temp\eMcQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 35bf4a9c5f63058dcff39541de1b7d58
SHA1 dea3e181714040e2b92371d4b794684cffa4e64f
SHA256 e6f71b6a6e4d9272fc1d571b51421166751bfc20b8903ef66772209eb21f3e46
SHA512 7c4cda0a4d4ca178a7c6f93af9e955515cc03ed9ed8375e12b9ff79a4e3330b0bea820ad216114372dbcb79da6c3eb9a6ba28240d57083b7ba730bc132256ee6

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3067348ccecd14d8d44047f2d7f24b26
SHA1 b27ec51993b77e42b6273e554360f2c2a80e5ba6
SHA256 23d97018dcceccf8bdb8c70c70c118e9b2c394ba479ab89d4edf18b3d27308bd
SHA512 3a62f4214e3b1cff9b691be7ef8b53049a22a721fb0e22a53833f19b9cfd866d414cc942e0477c33af4bd3e8c06eb56eb65370e274742c7b7f29f6c6a1fc2518

C:\Users\Admin\AppData\Local\Temp\eYQy.exe

MD5 babea07a6cb33497d826d603b1c3c2c7
SHA1 0aaf64c2b77d66e55f9d4b9e7e244593e966e6f1
SHA256 d127fcd017b6c7460f34d21365c2200927a71bb73af622cccf58ba574b674e05
SHA512 8e6ced515e19891b20355bafaeb267a175acc601ec72078245b33869aab881a8d7854e36cecff938c9d4ccb9471c51f45488be90ee453dce17996b70a09ad9d4

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 ceeb0e9875fd410514413d2ca675854f
SHA1 29b614db50267e9a7f8ac11b2e10ffffe29da4da
SHA256 8b831b2f755624f876ca276d9565525b41abaf0e3fd217cacab7b0df80e4996a
SHA512 d5298473d510a81d71adf9f98ad905a2895041085dea59ffe16e3eef2583837e9bfa69f042afb8cacc18783bb86bdd7e26b545521fae504e21981f49b2b9b140

C:\Users\Admin\AppData\Local\Temp\qkYo.exe

MD5 b51a1d1d398d42f3ff4b52619a4949d6
SHA1 fc833ba7ec67f2bffa41961aedb279c4ddc578d5
SHA256 82f9b2a140f5e66d4e70525b6cab7ae24fa5466cb127446b8991c827640a17c1
SHA512 c5de725e287b57895420bc8f73c62b4400e082667bccbace409796c2e27abb6de56d1e955cefaaddc34c31a288b1e6910a945fcfdc66e9b18648a284f84f24d1

C:\Users\Admin\AppData\Local\Temp\oUMI.exe

MD5 42314b62d9f0416295024b7bf7e658d3
SHA1 3638c814570df3097732252eddd86759ae0ac31a
SHA256 2c49c93d79b670df4e3815baa3ea5f6070fb01f198a291ff8bceccd1db4e7624
SHA512 1bc68bfb7dd3477c95e109f67c263fdca5fa22196afa256f5fb1eca58881cfd0c6ee65249bad1380553f3f782e736983def3b9f6b38313e837bcef9597c8bb18

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

MD5 6b013a1d3c42b1195ed0e17f1a7a51ae
SHA1 5641b8b2eb0ca42c9afbf1b93968d9265681af23
SHA256 06e1de96fbde64a4f3a6676c54c0ba75bc78e8a346351a1ab457e80f95936105
SHA512 625bd214943a9f459c7e821e26f5ae8500eca0fadfcd08f8075867a07faa1c4bd5024080a380899227419bb2f516915922b61a36f7ce3bf0d4fa452bb8aa03b8

C:\Users\Admin\AppData\Local\Temp\EMMS.exe

MD5 d2fe5d1a87ecbf077cfd18a6dca7f992
SHA1 eddf24ab12f5fd34ae60d5b97124f30d9bf4dbc2
SHA256 7ee0e60d67627033567b207822ff582c6a6779ec613edd80e915280138938a0c
SHA512 de1ad5031a34a61b59a9e541ee6024d2f8aa0ade76caf15ebd97dd159b16eed61aef6d683e268cf923c496d916d2ae033214731c44a4d86a024853f27ce973c2

C:\Users\Admin\AppData\Local\Temp\eQUm.exe

MD5 a56cfff4da433e2154f453fd0d1b05a4
SHA1 2b6b0ddc9ad4d367fabd8b76d845f6aad3469f7d
SHA256 ea49da86b4e16144b742cd1a61b20b4156762e72e26ceb95776a86111850ba7c
SHA512 b489af3ff99b518c7844d09ad509c3df1da4db1f4d17b0e4e4d0e95b0094fadd2fbc529c4a5ab87cd3432188a5ec71888b5559adb06dfc9fbc2988104230fee2

C:\Users\Admin\AppData\Local\Temp\EkAk.exe

MD5 a581713ee59c010797f52dc087c0f555
SHA1 5abfb57bec89532bff880bb573ed33e12c4e45db
SHA256 5671a374fc74b72fa7b13a80aaab02428f085aaf2fd3f57d115ebd2a09cc1206
SHA512 e0934fb059d0ecd82ed1aed34730e8f8da3b4252b33d62c5c385f8f0df8f62e8dea794d5ac2ccd95fbdc35ac55b4a7ed8433e79e93ac5fa6210ad5135a59663b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 081914e7c22a6a9fb2711fa6b12567e4
SHA1 890393810f827c66a5b1a46846b0c735ba2d5886
SHA256 b1865d411795edafde0dc1bd9126646f91b6f131046b34119d2c197d27ec3f49
SHA512 7197222aa655c5d13a74640999d98a7184a1a6c378bcb492a4ae7a810abba39316eddc0b39519d614cac00cd34311db5fa095925377c61c7ae9cfe69f12a0a39

C:\Users\Admin\AppData\Local\Temp\uwQm.exe

MD5 74bfe655b67c128e2702c9eb3bfb6f30
SHA1 546e92765fba1b9debf9636a90146954f7d0b697
SHA256 9d7890e37f468a4deeabbc596ad20be5196ecb19f92a304c0c147318761ca72f
SHA512 462c60593c8f4c07896d718cdd80149d89a734b05bf306e8b74e8beb1bc80e708f6b790fff1f11246f65a44a2558e912a0128efaaa9ffdc4faa7de53b4110afe

C:\Users\Admin\AppData\Local\Temp\IEEe.exe

MD5 1c7c3310c393999fb69f7d020670c93d
SHA1 81f43143b4661e2b11109b3cde185a210d8f96fe
SHA256 5f845cdde07b2ab00465fdd1310b92d88d9b046677673ddedef940e17b57101d
SHA512 d1cd5b659854d0e4b02e3b35da818f300bc98bc3d5512e348278333bdaf2218147ae51a0bcd8d0864fbfa56169f4fc2db52d754d3a9978976cdf2f20805d3eba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 9e20c05818af770df35ef933addb58e9
SHA1 1d43dac7ebc30fa24b5650e23ed9d5b866f7518f
SHA256 ce323773c59cb5b0b42cf17e725543808218de9f9959454b5a431c26b0b270e1
SHA512 b0e06c04dfe85934afaad6938a9b009172ded0edaf267af067888fe5dc1f1a4ccd25738ba535c4d9ad9c34113ae41fa3a72e240a723193f2c680f7b564b87cc3

C:\Users\Admin\AppData\Local\Temp\SwUW.exe

MD5 85f5810ac2aef331fa2e39b179d47ffd
SHA1 b1d1c6e15a829cc339606d97552657c1a01975a2
SHA256 a631165c50324a4c35245ad2cf517a0acde3828d915dc499b543e7c23a74dabb
SHA512 ffad1a05829f929b852eda606e0df9fe53cee091068e6e9c057f3ee9a15e59b798c35637b1bdd30a92907948ec97bed05468f5ca887501f5bfb73e3591e6a2f4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 0b9109b8802d5aa6918a0fc40f8a933a
SHA1 3d06d7f52751faf7875ee8b96a5d572462a41618
SHA256 47316a636346ded4a9cba1ed0a1698763ef252b752b210ece9c043c9525ce2f4
SHA512 e8f435a5d14f1657b84e18b8fadeea113d074ae77c9cba0d813cd30ad91ec3cfbdabd6b4d94f14cd08cc5771cc1344466cd2134998319b196a22503dbbde141e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 2cbfa2c29056741960cfb011b2c5a8e4
SHA1 611d9efbbb1c72b3cccc571b5474ef931f0fc716
SHA256 13cec841ea91c31b8f1743217c5ad0f21b10db8785b63be0b4bac3d5e15bcca3
SHA512 9d7c4f524ddb8c171739a203f0f97385f114923044c9a345545e2d2dcfa62415840a75e4bacb30d7d71c3be940a1f42f5a26d87cc726094b08abd0b11ccc8b95

C:\Users\Admin\AppData\Local\Temp\eQwo.exe

MD5 f93ba639653c364f5c28665466ac3bdf
SHA1 3472080d449af925dac1e180263103587e0f32ec
SHA256 5ff042278598e30172cea578abe19d7d2adb7a968d1e97397c1e1828fd733ad3
SHA512 10358f27896bad04325d15651bf0c4137c3750f9f39423d0e34646957be27390dec1b118629083d72c8353a3b30afb472f475ed1a81b71a7576cf4ef796e8a5e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 4216ef0742b350bb8f2023e8a7a8059e
SHA1 9cae796a97a91183753071557c396c21397c47ef
SHA256 dd0ce99d9816036f4b50b1a3bb7b776714b7952940ccb868031c9d2e234f6462
SHA512 a0b07bc750b65585e64fa3d153d3904c82dc7d2197643bddff7ccd754e631115140512cfaa73e0ce805df5a6a1e2ffc6bcf6770f4562e60b2b1f064fe4ffde7f

C:\Users\Admin\AppData\Local\Temp\qEUg.exe

MD5 9f2546ad49984030dbc842b426c2340d
SHA1 504a1c3a8298b37a1e5882be2cac533fb3cdca2e
SHA256 93ca23bff4a0d6a6d411b3ff27bb0fad2a93a496c526637f5b467bdce71806bb
SHA512 9f03f4ba75cded683a06aaf6ef8d8f3e7d0b81e6a1f22d219c251e8420d32d01de036357f5ac7dcf060997b68fda5954c18e00b04c7537598d98d150457b474d

C:\Users\Admin\AppData\Local\Temp\yUgQ.exe

MD5 520bb12f6c926a795e47f449808d0916
SHA1 c60bf915ddc662dfc779a01f9960b02c04529e00
SHA256 83211df3fc424433c8a8e40a8911ca16058db182d643dbc29fa0551ef43f5125
SHA512 8beb1a875c569a1e79fa5218683cc6e138a3a54efbe7d4e33672980993bc47d4cb77183b563ff99f4274e8f8c245f2a1b94a1f961c1467a9d73cfbda0c7329d0

C:\Users\Admin\AppData\Local\Temp\KsYy.exe

MD5 83a900cf8dbf19c95a57fc7249084bd9
SHA1 c790b82d4b9a9e1d43756d57e20c6fac5cd24472
SHA256 0331f2fd3c9f9205c4e8e4bc9d565acdd236b6dfccc9c82144ef4fd66c8202a2
SHA512 3f0d928244f22742808d23455afe8c6aba06c0c9278d9a6bffd65eb34cf3d56997f507e63d7a7c6eeafcafbd65ab2e2cd07f7012323bd774cd3e91297fe6883f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 936b9118f5b4ad4fc8337b8ca2171c05
SHA1 b8980d1edfd774c3863ae5d644351e92c8b3bc65
SHA256 0cf55d674044bc1c8f9c75702fd5c33024db5cc247f1ef48b634a918cf3e85b6
SHA512 7e9d123027189cbf5ed307dba6f1373100301954cc9ac7a3d33ca6c84f31a681339356f7b40ac20c364070fdf6c5a000346a1bdd5810d56d31391983ccc6d165

C:\Users\Admin\AppData\Local\Temp\yIUU.exe

MD5 67674d989c2e4479aa0ccd53a7f572c8
SHA1 49941ac8d9a0d2b35e279f48d614809a514170b2
SHA256 a120776d46e94f39750746a0de96a16f34f22c362ce047b303d167ee676d8cb2
SHA512 429cdbbb69c3dbe7fc56b8f35d5503a03ee37d44106e7bfe42ef98be05f05134162c7adb3aeb4b1390b4c502d2a4a773b0342c7ee8bf1f4e227d5ae1ead33c19

C:\Users\Admin\AppData\Local\Temp\sgQu.exe

MD5 a97262f4241cf7b4392cf58805b035b0
SHA1 ad85b5fc1d581b4c5adfd413f5014b21efccc29f
SHA256 8014c3c6365972e85828a7e1d0d522536be03856a7af655a86ee299f5dcd9171
SHA512 a87cde7ebb675a4e99a398a2b27ce41f6f33142585c013bfe980632fdbe5b8fd24487df79a496998847f8d9097770d1ef2c844930113d53953178e10017103bd

C:\Users\Admin\AppData\Local\Temp\kcQI.exe

MD5 6673cf938255eb77c15bb6a58ad8f3a3
SHA1 e9c3ced5e151bc94bd712d4f14cb34753af64aac
SHA256 ff6a3b92958fc90ffb72f63375496e1b4a9b5e268e045c9407cab1cbca230de9
SHA512 7039bc83dda0036344a835d4a16f0f0c67bf256fda0fa3f83f624e86f005e1bd2823ab5c866d4db4fd64dd30d0c50766b575203140facf63be7201177f90b6d3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 088988488440546cb4567d0a1c8e7a82
SHA1 57db36f65e97b65c4ec1ab667399dbf811348e29
SHA256 5b9dc3717a39be3795f79395035ddb07c773b952372b3fc26bc66c2faa418e91
SHA512 14a00130922259b0b547063cee8a6e80b26c239358e9850f8788b8038e5b55b72ea80b7a19e6d54944d2ff65756ecbfcbb3a6a682ff32199bfe694f38e25d0da

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 0318a15e2c9228d1cdb482047b35febd
SHA1 59fe84a89c0cb16d0302b253a3b783f9075855a3
SHA256 e1518175272ec96114e6c7df6e0eee5b24fb9e9ddf8d2c34cef3831414f8f567
SHA512 0d87097e6bbde1ae7ec1176e15157dc663e563095e4303cf8d927063fd631615c0144224dbb5ea9457818c15a94033aca36ca155095c0cb726b04c9c519543e4

C:\Users\Admin\AppData\Local\Temp\wEcu.exe

MD5 f56bda5b8e0a38d5147992bb4584955c
SHA1 6af25b9abcd5ea36910dd61a58389339b2c5b08c
SHA256 fd1bf82c6d7713a911af49a7db2c2b13e4471a0e12ff40f7d998c83571c178dc
SHA512 119f10a6fc1021f6104107901ed21fe49af269f32fc0fddb6cedebb61ae893336495826c4cbf0a530e789c79ebc152276803864d4994a21276cb51c0548e4863

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 73bd8251ca6bfe8df3ce08267bcb9641
SHA1 600afdcef4a4ae13f1b1ce7703a26666aca67653
SHA256 c47a5ce3ba08b8bbc8486f191540316f0ba3a0aaffe07fe21b0c2b4beb466795
SHA512 173f057ec025cda169a59ada96ee57b4c8545de7ca6956de2829559ebfb087d2f8ade1cd6b4f2fee9542803ff4ff9934ba2313673f7d34606da871e9b48a9d6a

C:\Users\Admin\AppData\Local\Temp\MgcC.exe

MD5 2c59b51292efdc56d4a64fcbf424bd70
SHA1 8cee5ccf64bdf9583ec53fe59786d26e528f30dd
SHA256 30b48cf4275dd4f847aa3789f846682140176ab000960230f38d36b7fe2c42ed
SHA512 dd3c0f03a4a18198d61b30ad83ad1dda264b1f66e735f5363a0f50c0552f89d36a72f0eb50b8d905235da39d233fa41fd7a3b032142e011b631faf994ba41363

C:\Users\Admin\AppData\Local\Temp\Eskw.exe

MD5 d77dc9bd3f584f68d4b23d9ea04637ad
SHA1 65527844d286b5c4c8c056f0e43e76858e1c94de
SHA256 a868711fdae2a0aff9aa7062692fcca4e0ba6fb26cc88c0e2f9f67e246b86101
SHA512 ab835e1dc476acffe317b73fb4045c2750d8fd1a7652de26e2bb22b9f705bbc00aba07b37e250556a2c2312c3d8bf3b82b5ec7aa48619076c359308e443c6b2c

C:\Users\Admin\AppData\Local\Temp\igQK.exe

MD5 f3cfb26b7f2247c5e3db5e654901de53
SHA1 2eb66a299e7537e1df35351579fe11bceba78c8f
SHA256 5fff40a606189cd2ef15f8edf46ebe6fa0de60737d2b941d49eb2defb93257e8
SHA512 9755aeaff7e0607d491484f3fcabc860620b5692ffaa7ccbe0b505b016b4f854a4561506af5c8ba8905a01a54b3c1e783891514721c9f5a4d9dd53e349413ab9

C:\Users\Admin\AppData\Local\Temp\soEg.exe

MD5 12267c7c01c2ad51a947f09b9596c495
SHA1 b536453906a7ba74384275ca7e952bc1078826d2
SHA256 35ad8cce0915c594fed49488373cca8d20bf90fc4f076f2311d879aa9847a817
SHA512 53d67ee32ea6b07713e25aa60d414d149b609e94501c058b2d48e3253ee1cf82b09c9d05a277af042a72205bba369fd7016f9490e4f68e51f41536fe50cd48f3

C:\Users\Admin\AppData\Local\Temp\qUoO.exe

MD5 f41eaf9dbf1236ef0c662f4940208549
SHA1 db66ad6d6d75d434c63afd18702fa56213355d81
SHA256 573c52fd17457fcce95034c368b4f52518f2208d2d6146245574e20525e56a23
SHA512 b3bb3882386edd6249c667bbcfe17bd8f4a918017fc51774d5d111bd9f27fad92910b1831e64e11d9e4925fac14264d9c58470fd8427dca7725b0ae5932d010f

C:\Users\Admin\AppData\Local\Temp\Qooe.exe

MD5 38fd576ee9edb2999eee5327e293ad80
SHA1 584a85f8b2ac1737284d579565b86a71b050a26f
SHA256 6b5c7847efab45a0d9dd128e8590ed27e7c96905e65ab037144004d781cabd1f
SHA512 5f98e6e17a4600d41928c9561949e037f9d58484a35693b043a6fc41bdfba3b72f30c0e525272f6120093de328a78ca5de9529de24ee69d19a8791fcbab87da2

C:\Users\Admin\AppData\Local\Temp\SgEM.exe

MD5 3d4e2dd7d5e2df7b7ed9ec6da301a28d
SHA1 0b8078b3cfbb9eccbbf6284593b36431661a49ea
SHA256 7951328a6552f6fd85061a5bfb7bb626b335e2e7617271e6ade3d43f6c752f54
SHA512 fa556670ad7477895304854e77a0f8b959cfe3aac8705e2344e22a5a722f283cdff6e462c60c73e5d7716dcdb2d909333cd376e10a4213fdaa1d5b2d289ccf22

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 332a6716dbf511d90c508bdd10e21c90
SHA1 2f0f1c9387866a66b05b2e4cdeb54d7ebed58bb3
SHA256 a9010be055a35c3221505fc06fa4c6c66f03ca3d2bd52425892f98e5cbf8df8a
SHA512 fe2923134e17de09d22edc42b79f2e15b36bd838c94a14be5037e9af49027ac8f740f7c0aa4daab8c59fc0b547e36f95b66eead927c5f0c6dfd0dc0c047fbffd

C:\Users\Admin\AppData\Local\Temp\mQgA.exe

MD5 2f7e704bd68ad47388528dd7295de2f1
SHA1 a74ace139913672cf52c0d6bbdc786dddc7e56ec
SHA256 4be92dc26d8847b57a08884b1bc6a1a18ca7247c1644f1c6d1b674b830182fee
SHA512 1c969d4e9c2e56607155bbbf0a2ac82b00ea4e1d88f598d43156dced43a023797ff6a0a12700f104e031e0a39ab3df3388df2651e95ffad8dd6b9a9ba0236f7e

C:\Users\Admin\AppData\Local\Temp\KIka.exe

MD5 4fd793e9c8d999a6cf6587cefc0b25dd
SHA1 1a9e4a28836a97a568363c778816a20ead469e56
SHA256 244b95a78cbe7464f2c5c427b422d71daac795a825e0885419fa40a182e73625
SHA512 3b3eac0c431b419c905765c0a2ad38d7ed5af24acbfa6d7764e1f0a437b867ade60bf4bc93546d048c88e72f4449fe4ba9c9cbc7604be6c57af1bac7f62058b4

C:\Users\Admin\AppData\Local\Temp\YgsO.exe

MD5 0ec5d35491e618957b3f56f9767b0660
SHA1 bd7aa81bc110784d5fdbd51dd06a2d6492af2dd5
SHA256 3459835ad2fad700b6bab0d9960e603ac1b4eb28cf48fa1d0511d86e63b5709a
SHA512 ef1b783b00b28db01cd53c64d4c6d4ba784f667d474e2fa841d2caf3d006a4b6f7ef54fc4a67c1aaeb7e9bd08edaf0458d1196117f9b303aca8f0607ff7de56c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe

MD5 879d334b60e747f3ebffa3094222c2d4
SHA1 ea5421f1868b2d14bcff6b6557ac992af0e43a4f
SHA256 39498edd9f5721271bda439fe54a20a8b47e4d308884a49a163b1ccfbb9b8850
SHA512 b3c0e8cc51168fb305fc81b2957f901255ac2fefaa39d173c3587173478843dc8cfe604d3ca674c2c58ef295c06b9304cbca19160824efec11a6b51ac4410d10

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

MD5 02b1a72e6c3d35319ac88dd0be13ec66
SHA1 cc5d7e5dab8b4b2c75fd8f441de47297eef12308
SHA256 1280a09464148852fb5f9a9d3bba9376c822e8fb263aa33fdc81fd6765e7e922
SHA512 93ad780a9a3e233831585f806233bed86c6d4f0d09fe9039a6d7b851d24f17c1460e5449c162d06a7a4c88325d0de5a0c3b1bb7e1a28e4c27535e431a160946f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 68a8b68c3c7da1e9013304d0b4359d5b
SHA1 47f68740a8deec5b293e506bbf69293ef0637eef
SHA256 4e2ec04f48e49591189e887279143d0c5b14585485291948443b0d1482f9af21
SHA512 4b45fb5b40d6166086f72229c01524282e43c7c5a4812bc321df74cb12815bd49631a415ec4f4399c00088ecee81c5dabae1cabf32ac5278425437be9e46eb00

C:\Users\Admin\AppData\Local\Temp\oQAi.exe

MD5 a4f1a46965ac894b5ccda014cdc2ad68
SHA1 3dda6704d348cbc1f1e8329798faac9092e58881
SHA256 e70f7be371ea99181ce4febec22f491d1b9cffd23356b7f59689cedad5f53eee
SHA512 ec2dda93cb8b40619db66b1b07e00cc803db85e9c640dc809aea3a561533ac03c607d6f8f8359eaa0273c3f5959bd442e8da6ac350bfe7a5b6eac165cf9b562b

C:\Users\Admin\AppData\Local\Temp\kAQQ.exe

MD5 84c46af5e123849e96ab083c13164fed
SHA1 d4241c35a6b480b4bb7524be4dbf698d497bb518
SHA256 7ec1590ba93ae399c8094d8ddaa919cb993fccfeb6e4ffdf4e492def74496ab7
SHA512 d75753b3a03fe1202d58407380a5280ff59464b9fc307ef80d1ade3c6e0d148acb1623180fcd96155deff274be92ec5fa4c83701715af26249b88dc4fa3e7edc

C:\Users\Admin\AppData\Local\Temp\EgUg.exe

MD5 eb4dce417f6ec0a4a7cf09c5e4243270
SHA1 bab1ccb1f576564193443a65515ddba40b6193e2
SHA256 3eaac49e14d58bc606e60e8bc955ccba25542f728b3f39b52532fec2815b27c5
SHA512 24d246626e940d30efefe8170c12c34a6b5c66d1aa849e7e8dff9e74611700d922efc542f75bfdb1840867c3ecc348b20eba82548e09bc3b9622b46c00684e36

C:\Users\Admin\AppData\Local\Temp\Osom.exe

MD5 2f0650fb374735be56d3e948feb262ed
SHA1 68b94687928a9838c3e62751ebea1ecebb9caa8a
SHA256 1a7d684db72c6588d79cac39144660ebd10232484fbdb28c9aafb40bd1023005
SHA512 41bca404e4b015f38858bc9c387f51045771696c944c2b468387d6ed9e2792be02d67fd7da49620d7385eb2eeef7dc7ed2e68e88a35ca20804bf9d103a6c6ba7

C:\Users\Admin\AppData\Local\Temp\ooYK.exe

MD5 23fd3c731aa3205a97d02b74c46611e2
SHA1 b58fd27bd4d6777b46838b1888be2bcd4b03b634
SHA256 1fac62bd61b3482a62996f9bf3f4b8ddc84b1be6763ee81f8979bb74a6b779cb
SHA512 081d72aa948d975d3c5749c79fab57166e6ef51a13e185524ae0b96d75baaf10097f23850939d866c3a1afd235a112d35850be2945d610f04b84f8bb76444309

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 3818f5963b5661415134e0c38c741feb
SHA1 6b3ec049f31b8a11b9151b78717cdfb9d6e0ecf4
SHA256 d2c8aa049eb785bf5675cccba286b522f379328eb3a2381bd457d94c80f0a68f
SHA512 a727198fd2678499b7a2da6611574d466e86234071a3009f7a6fb02b13705ca6b977d22145905f2b8405c4fac6964d0c2ecce9794903ec40b51e9a00f21b15ad

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 373620fc516f379412a95d10d076dc2c
SHA1 cc4c90b1ffee307bd87f384807d5a91564ef4b43
SHA256 65bddf6783b28e45e9763439458626342b564b2ab068ff94e196f7060905841a
SHA512 51c75514b3c2e9c2beecfe203b75e96ebee8cd054d74adc1e9f4e9f0a92f971e6d0dd444117729c3e286f6a0d3676879d61c989d079b0e0782c612a6bdeb9403

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

MD5 9a81947668cc58b0f1521b0c8cda8c57
SHA1 38e89d4a8e129d11df3c2c2d7ca52719337a9875
SHA256 595bb6dd45038f8d72c1fb9852a60caabeda9b8278ccf60ef81943cf1349e297
SHA512 25834cab5c00bbbea6729f5592ab4699f508a523ceb2914e459a54f91e2639526ef6a09c6a20300b8c85b9744bc165f339b633369c2944857b2dedef5233824c

C:\Users\Admin\AppData\Local\Temp\wQwU.exe

MD5 fea947af22b119ea9e18d74f32b9b777
SHA1 b6796801b66826490352de3a71cfef978352ed6e
SHA256 05880743cc3b47fd8beadd39f05fe9fbd16fe53243dfe09480f586087088166f
SHA512 410eb6031d72449ba31a65fee68ba55fa352d36d0a4cde3e34e3adae3063eec4a28483b1d3fbdb59f16b072dbbe87274af5c9b005b1de6d541885cee26078594

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 76462b1cab977a95353261f96299c3d2
SHA1 e8f0a13f66676e3a6344b74184e85b44c333da64
SHA256 d7c47092b2b205dc327cd47215463ae9fea7f72cc71da6737c76032b5d88510a
SHA512 c6450cea4544362f7583e7b6d478a85c5e0e4f688f7e389ee9b713d4528ac101dfd5ee8da478a74cd7b6ecf0e105f6bfe127d35442fff64200517ba882c60c91

C:\Users\Admin\AppData\Local\Temp\Owkq.exe

MD5 01001373896a51cf042d239da7f56efb
SHA1 2ca536996724d65b575af7a1950257a8a1ebab0e
SHA256 e8afd327dc5e944da477d728243be620f1e8a23b993025c55193281df4631036
SHA512 26515172f3be628ff5cd0facbd13d3ec014a0f229ac16dff1f750005b19e802a4264d0f26e2f63e398f8f645bad3972d917af4221089a499be69b8ffe3e97534

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 f74c4f7ef79d213c98e92fd8af0658e2
SHA1 6170111d25a07ebd4a0b3e801e6340404f97c77a
SHA256 551cdcc64a4bcbc9b250cf2219d9574b1f83eeec318ed8f87ebaf0c769581881
SHA512 029f5398ed17a34ea772bce9a41d358f5ecdfd943de0d00604813c1fe17ce0b9cd4bd2bdf9cd82839ee615f8574bb4fc9ddfc6f8564edde1528122b2f47876fc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 4b62eb76b263f9fbd3d171ce2951702b
SHA1 7e348057b6a18fb5f2530719c75b008b636d530d
SHA256 29349ab119a2215b0f27da9acfa65cb0ba846a1571ca23197290aff8eab4d04f
SHA512 0934d45a18c1795d478bdc88eaee0b27cbc54f6c0036099a25d642d0527da6ef0598bf74dbf1c45af52bf736771b2c25cd82525dba5a6af1026a5628d6e5a602

C:\Users\Admin\AppData\Local\Temp\acQQ.exe

MD5 b04b2e127c33428fa1b2b6b9c7034d5d
SHA1 631a863f4d4bdbb3ca12c8f0f3c30181bbc1ee64
SHA256 8f38b55e668981d0a61dc989ffe6d84c4ac56f0e92ec449319c885b16820faf5
SHA512 5f217682e18b3e5c636c8245900a072326d9a69bdd0ff1a14185a53034c3115e18bb70d1cc56c0e126e513b9ce85d27233cc26f9858b041092d989d6fec47dd3

C:\Users\Admin\AppData\Local\Temp\IYsM.exe

MD5 cc0b14674d86809fdfbabb1f2ec6e124
SHA1 5ad557eec5437e0ded74589a89454db694a63c7e
SHA256 ee1afe491f7431b815635b7613d03ae7984d4f01cabcd126b9ed2724cc4c7f7f
SHA512 53f5bec4a443cfcb18d281b30eb617782312f6280bf4c08faa343cd06a50c17885686e8df7071cb4b41f6e075d5277b5ad9e5fa7d885b00b69bdc82ac6785372

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 e647d766147e8bbd83d4fdb3778e657b
SHA1 ba1d615bb20b7472609bc24588e6bfaa007908ce
SHA256 a5e975d074a504355953c510098222e99e51d03fb815d1ae2499c271c7aa5fd6
SHA512 d050e0cb2ac58bb562eb1c60f9d7134db0e50b0ce8f571fd1698a63a0be34de966fff407a0846103b407a792ea5a8a2170917182b0ea6663430ba41a78682247

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 a40b82039111039ad55adcf8f4a85d3b
SHA1 ffb9d0e9dd9db72f8108cd24b336a12fb7d18e07
SHA256 65cf1c7d8dd264329c9f53c62c877b623eb8f103d830a1a29e1e3aa60bb40db9
SHA512 a34834771eabe7340be7881c1a1b5b4761362d77531de4c7256538d29e038bafaf42a3067059dee3e434f211be43e4d53d629c3daddafe4dd07c9996b247f5cf

C:\Users\Admin\AppData\Local\Temp\mcIC.exe

MD5 00e5444e7f024cc2a0f998f5ce748771
SHA1 c1db1fb4f7b15c3f4ed0419abdf9959bae47d341
SHA256 7410c815ac7c0493d8bb625c13da6114d5387944b5475ab031dc2bf3ecc8f8a6
SHA512 3e1e105fa1e15af54ed223a87669854a2556dd6f146d596915cac2632ff234114969f65c9ae74758d9bd3d026cb23e3d83ae25ff9f856692e5f8f296eefaff6f

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 20d98292611b00897ad76ececa42bc43
SHA1 6e2b030be2360a198db29095c77296b987401781
SHA256 9bc6c6754072c1363d77e12946a88daf4c5eb32485a1862815e0df8b5369599f
SHA512 5de54adb0d31268b6360a4e7bc238d24fc75be002f1033760472a1d0de9b3eb813b6ab7c78b9d7849ccb544560480f81d31b81c327469e1ab2dc8def53e05b9e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 639d5a5a09d6eecf82a291be01b43755
SHA1 784561e78c731b4f3f9bc3e62c64edbe964cd1b1
SHA256 7be1e5f6d2fab1942c8efcbc689995e41740888b8e4f194b29767cf2ce984342
SHA512 a18e7b226bbddcd8ff3e01acea99aba4d84c5fbea6cfd5a809c0eefce885711ade0c9b8547ce8f4c78551c2f48cd7b880ce64bdd281534ad9cff3fcd6cd20868

C:\Users\Admin\AppData\Local\Temp\sYoO.exe

MD5 800a4ee6076a7b82fe5c342774a30ba4
SHA1 4e49ef927f8a6b6a83cf7cab0d8441f1e4fc4d5d
SHA256 20bee0f2c48e22a2ae26677bb2a2dffcccf95c80b219d9dab8702ed1169e80ca
SHA512 80896ffd10f4811ef41009a661571f2718d0c12e85c1c36017e8a1fad9c24a1947a3b0bc87bad1aba5064aa37988536319f225c9b07da2f65642f1b90ea2acbb

C:\Users\Admin\AppData\Local\Temp\AEAs.exe

MD5 07692185a55d5e2f2cc42ba1d9bbf7e9
SHA1 57d419b682054e214953bc0d1e441e163fbe35e2
SHA256 5bc92cb7c62aef0358072c1d90af2cebe28735dee7c72e052283c6ed1f18dba5
SHA512 1a5f3ac6897b62e2886039401f67a686a1a1673505d7a5508ae25cfd14085112f50c531b35292eb3b69f0e5adde503f2990a2c8f61091905ef010a8f1ad96ca0

C:\Users\Admin\AppData\Local\Temp\kQsa.exe

MD5 3ee421f27311b8f65dfdd3b95d7d31c4
SHA1 c8bab68feedfa69bba91cdac9aad8066b4bc6f03
SHA256 7be606a47c015390845ead134bcc40ba45dacdd6b721b5aa29f351415c11b2f7
SHA512 c9cb9470ce75ea08db39c00a9c247e00abc7261e0c3d99613aba1c515466e0984561cc5053d582d2fe1e9f6eebadc8a5e7fcf4feddc4c297b4b975b92ef1856a

C:\Users\Admin\AppData\Local\Temp\aQoI.exe

MD5 0f0d2ed8e914e1d95a9c58951b345a9d
SHA1 1b242b30e63b30f429b7eb3119ebf2c7b8ca995e
SHA256 51ad1350f3d813ced114b894c33f2cac42a4281987b1b807d79f3938d0c68bc8
SHA512 f599853f1ee474ef590e849995628d9d3027a4ae83c36699e29821752fd40809fb8fe497f0baac5feef9e7008607000c3defb3439c4499c148a077d75403283c

C:\Users\Admin\AppData\Roaming\ResizeInvoke.exe

MD5 39b5b0d2d2bbf60b1d0422b8f7fab1df
SHA1 60aa8f4a0d3649b9a966bf5f7a219cd8f681498f
SHA256 4dfbcd08223c6619bdc75ab18c200342e1f1355a5caafb6e74ce04a8b69178b4
SHA512 cf5d99462739c4ff3d9e0e9f1f3123d297660d02fc4ca1d02aa1265628bc6cb7f46530ef10c91fb93fd94df48de8889e893a2f9be232e9d6bbbbbe60038c8806

C:\Users\Admin\AppData\Roaming\SubmitRead.mpg.exe

MD5 1c60c6fe8e1ee3d28bdd2942047e7ed8
SHA1 0c7ed8e827cb21973b32b0d82dbe954648b45ffc
SHA256 a441124bc2acd983ea5c35511ec77ae1e5ce4934b4c1919b0b6c4e487d0ad3fc
SHA512 7c732321ba2dec8d0c679ad88f5f27bb44a72a5d79c2387e00bc2bcffea46e48bfe04127bb5f3149f6a2e028f0e704a5aa2e5a1d5f941530ebb3ef63b9d2d652

C:\Users\Admin\AppData\Local\Temp\UwgA.exe

MD5 e1100a005a47e617a67443525d40658d
SHA1 c5f9fd09c2700bf902e51ae0e73c00b6708d4759
SHA256 951907ec502b8cfee5747d9bccf808abd4672cea114bc9f0966cdbf1c9f766ea
SHA512 a8db525e2274536e2857a43bdb7e13a7f2c58f523bf25e03f2b0ff0075f096e2b0b7f4fe6f3da50ba045ad10b5cd1b49bc8eae5eac4ace76112f279cd3b0336c

C:\Users\Admin\AppData\Local\Temp\wQIc.exe

MD5 b627045e9b4b3c9704b2396086a7de1c
SHA1 0eac8a5589a6d132b508514866d9d2a741f551f5
SHA256 d32cb32920e9598ac53e21681db487c3598dc39f56627d8cb584ec666846f091
SHA512 e92402723482217f19027568e889baed7174de273a47ee8c93c5b22e00aa36f807b5e30a5672b394062104be7d9eab0b5a0403129eedaa288b9271a30081b98f

C:\Users\Admin\AppData\Local\Temp\mEos.exe

MD5 d74a328ef8240423e32dbff5809944ad
SHA1 49f6afae91d42a13ab7845d409fa8e1ad841b2f8
SHA256 f272de51fd7ba8f5a0ba6742e215e3f4b9e3adede15e82c68d503b68a15a595c
SHA512 a3e443f99161dedc9550094ba6b6e230efdda9334ca3386d6aa5bb5e48dab85a6cdf22fe77ac18256faadd05189462a5f6d0dcd543030e5b7902a47cddb4e6ad

C:\Users\Admin\AppData\Local\Temp\yIwG.exe

MD5 169424488e9ee4f7580fcaf5d48f4f81
SHA1 8a2f79c913810793902ce19322ef6d6a04b1cab2
SHA256 e1e5a39fa43e89811fcb851fa7f2c85ef8e7a621b0cff60f221ba6c71bcfb33d
SHA512 4a8168f06f4deb6862287da736349b56503a834f136b2eccf6c654073733c47513282e89fb9ce99bd94f0d20d012800c9016b6d9265739f0e628f4a87fa9a1ec

C:\Users\Admin\Downloads\BlockTest.rar.exe

MD5 4fc705055e6a9f36a7629f22f53cad5d
SHA1 2dc82bbfd6d176fc227a20d522b6987d6dbcdec3
SHA256 d27663bde99fe7c46fa6278674eae7c435e2525bf98c0bf60492c2a03ce45d95
SHA512 f199973498b246e096e684754847ed528e6a2bf435eac729ba4ff575ea40ac08c52c8d4bce5b5e1dd3cfb7f2a569d9adaf9f4ccb553d2a729f5da31df30fcff0

C:\Users\Admin\Downloads\ConnectLimit.exe

MD5 690889dcbaf7135a538c8d97d2a66bfe
SHA1 0a4f15b62ba5812cab2fcc18bfb558a9127455ed
SHA256 785bb3891e4c22340102fc900b9acf9980806efefb0dd3c4146d61a87c93ecbb
SHA512 b724bee04e1f6eb1151672cb72c1ed55aad7e263320752db365a61df36f4a43e0c969aabc8eb600e4f4f22b0a358ca3c52a4e7d69b9f5f08062b6c4ebcec1c28

C:\Users\Admin\AppData\Local\Temp\QskM.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\cAws.exe

MD5 9f5da23d20d474e79396f336228eafc3
SHA1 bced00fc55ff0f6293234cd11e8bb6f4b8d363ac
SHA256 d84020adb8e93f42af19e9e298ee29f308ce167627016b1b17ed582ace01c917
SHA512 8013060a38e13d6d435ada5d1329a120360b45bdfaf6d4962555ba7f1d7d85cac764b74e110fddfc739c93fc1a6a660e2286d694dfc7655224aba77cf12193b5

C:\Users\Admin\AppData\Local\Temp\mEUC.exe

MD5 1be11c4db4d1406380d91a98d1cbd0ac
SHA1 e7f109009047606a735aefc44fa23c2db7225b03
SHA256 3926ec2f23009055913938b51373d76896a59a5dfe513f3d1b196e7f89446f21
SHA512 7c07530f35067322d931c01f5f7b27a7b6bc700827d747b52e00447485ddf301d2e32187b44e3cd53a899791fbdf604fb581b4917770d955768c903a264458a5

C:\Users\Admin\AppData\Local\Temp\EUQA.exe

MD5 d5b5e62d7414eb5b2719b8aa37747248
SHA1 8430e414f4ddbd675c1c01b29645b681ceae12af
SHA256 c83b0785a050104dae4f8a1c5e4241f6406d12745ffde91d0c2768b87fac17bf
SHA512 45e46d7fac3586c7983298cced6640afc5b6ffbb1bf750a6e148b6018fda86c99728d32b8faecbdead11393806f38f30fbe731a36c5716f6bb33fa4b59d07f17

C:\Users\Admin\AppData\Local\Temp\sQII.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\InvokeRegister.wma.exe

MD5 b3541051b08a84549aa6aa61b951666b
SHA1 7e91e4a67f61317976cfd536373f8fb6855f3bda
SHA256 d5dac184a0b92179f4a0b2ed4c28e404d5e76347888102acfa284e3882d983ab
SHA512 a4b239b8e7eacb8297707615cbec4d8bcd485bb0f3e5fd23ec473da2f08cd7d576d79b753ea94fc991d92a1a21e72e62ef85262aea207adf7de19eb5526c21e2

C:\Users\Admin\Downloads\SavePing.mpg.exe

MD5 57f17384ace16699c39ddb80a0447ddd
SHA1 29cbd755556f74e06931660ef53aad6ed92ec112
SHA256 f4d39499a6e778d7e2d08b6764b45ad5af8095584b8cc1393786762da5bc0d06
SHA512 0e50fbd1735cd399c9069d3e9b78aebcb3729384330a8e777b60a8fc48cc0e91d4da6f49db39e41e7bff973d7b0fa0a7c06f61852be5ad25aa581ec47dd9cfd7

C:\Users\Admin\AppData\Local\Temp\WAMY.ico

MD5 57a6e18c725a35d98e4339eff8be7fba
SHA1 120ba558d214e1928e20d66775fc1d2b67bb761f
SHA256 9c9fd45790fe956176aeab743484780b62f28a6dcde6e85cb6c6279ff3323b16
SHA512 16d70a53aad93fb6b70368f981f9d58fb1bb45590513652ede3d1c8933f1d13d36b153fb2e9dea5fc1f6c8ada45a2142b8a8f20598e705d78376d3e28e9aa5fd

C:\Users\Admin\AppData\Local\Temp\ookY.exe

MD5 07a820ed451ae735e56688dff759fcd9
SHA1 f3223f629d97c8582e432e8f6a093b9b936737c0
SHA256 fda2b0bc7ad7e229a320ffe1a1715de30b13e7e97f99edff72e9bc11b7df7280
SHA512 327b06e7b91da23dd5bfc888a9a3231d060edad279acb13f972d3ed777f4adcd8703ef6a076ec2a6157fec9b459b532f0b34b2cdcbb48c7520d6d33757837757

C:\Users\Admin\Music\CopyTrace.doc.exe

MD5 c88635ceb5a54dd8ca6949cb8a4a8e73
SHA1 d3969e6379e1629fb70674935706444e2d5ace43
SHA256 851c11d93ef9a90cffc7a27e8097f725b1a3be4df5c03c6ec4022b87632c2aa4
SHA512 2ab56ec3ef77c1e9420e6b58f848aad45d1fe8a20c091ffca8ca75317a002b92d817f4372ee67c6128697e852e065631a3ab36254c01a2583bd6088687cb2b99

C:\Users\Admin\AppData\Local\Temp\Qcwu.exe

MD5 4cfebea1673f916b8a7e81088563f728
SHA1 21f7773165a637a37ead36460047188c2584816c
SHA256 e982b9dec5d7dc12809ba60c0c8d3fd365d2eceb763700497e315032caaab48f
SHA512 a0f673c4ea966e3aec077da4e4155c19375062f89073d152ad633aa52cc4b938172bba390eac17ca1310699e42789a8d99e333eecc2aae4ec1677c41d8271b99

C:\Users\Admin\AppData\Local\Temp\CIgA.exe

MD5 d2e5b079fe790bc668ed7549a41af37e
SHA1 317e615d3c9993a5936731825bbe591c26a9e52b
SHA256 a102fc950b7cd509b40c8eb6662aa7112c3d8af2852ebcbde0dddf4da29a3882
SHA512 d51e1d92dfc8eef53a78c9e543ce8d266e0b452e32e6aed83249c71f51be2acdd71673ce00d51ae9ef3c17d8a2fdfc79b95e0590b7ec356b9002be0efa5a9552

C:\Users\Admin\Pictures\UnregisterSend.jpg.exe

MD5 0b29f4e66b303ec0c6b2b503880ae881
SHA1 b22d875e612d7a595ff664db56602cc68bb6f672
SHA256 2b1d06f22e51cd1f94ec1306c3aa7993bc4874bc1e438a2d9b17ce65239c53a8
SHA512 78152ee8f48f9b0d2740742760d45776ad1c1f5231f7119a943883accf2beeb538ecc8e141b98e75340af878b180a7876fe0e4a20d046b63b5f3a05b0fd46a39

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 993b5d81fba8d28bfa45e118e8d50a79
SHA1 fc0776b8ce59458a399816dd4301cd1a620d1d52
SHA256 21f41e1143352e0012432c8f900501767366cc277eaf0d1252db78c2923de8dd
SHA512 f6b4b35b8a5bf8395caf03d35420a7e93fb2f737f15a25ab3ede99a4746bbdde77ae840d7b722ae015c573bf1716c5ecdc11f5931bdd9b61b2190f9a5ab8e47d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 518011143ccf25ef8300d4d944bc9e65
SHA1 f38ff08b1d21634eadfc281c1cb4f511ae136329
SHA256 f79840ff2c401524e293ec55353506d58d07e78d5e59443547f52d2b39c8d27d
SHA512 0f70ab9107d04ae585a222998c57718531a6eeb987fee29c46da76fce308d0b268e0ecc486102effb1a9321933e77e7ef66dcd156b4a17974efcd52da92f6fa2

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 a4223679c288b3878e110e1c0bac8b63
SHA1 14ef6d6acfbf2faf569c6a8ba26b5d50af900478
SHA256 5eca49d898775cffb0dc173f4d760cffe211de554482116994f93397c0260e0c
SHA512 e815d30586d908b5179eda14f71e66c286f946be9999843290a96b511ead9217abcba9827c4e25e758704eb8ae0774a3a000c832b214f5e7f4a25ae3aac02aec

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 d47385cf2541fd99982cd870c1afce4e
SHA1 2f213c59da4d5a72685db2713aacdb8f734009fc
SHA256 622093b1daf9a814d71909b0b7bb8a639ba1748df1d6bc021dfd275a58fecbbb
SHA512 e26ff4a0554cb1d94a25d4ae69fa5ca5b4c2746ce0b76aa8fd9feeb22a950c8087b8974b6b9e7120798b222673dad3c56a2a022e6f13b37225852df82e6b5fb9

C:\Users\Admin\AppData\Local\Temp\AYwc.exe

MD5 e3d35b7314d0748dcf91c40d1f8e4820
SHA1 94d9077dd78022fef1a4bb20c8692b05620878ea
SHA256 806bac22c71e93541e4b7a17c2c6c0f16d054a243fdcacd13f31e9dd7412a24b
SHA512 684608417906573023ca4b2a3cebb0467afcb91ead9a41cf317886212da5e54d57057ca10f73a0c8307a40627527400aa182fb70146ddb424d4c8ad5daca7675

C:\Users\Admin\AppData\Local\Temp\kgAq.exe

MD5 6ad08b4aa01f0ad4a9bf14de2921dd7f
SHA1 8f9c7bc082c52965c1719f920081a2643dc092dc
SHA256 8fd39616a32ac708dd8bd210b3fccfbd842e17027ffa30b5e8f099f59bd675ef
SHA512 30519578a9be32b370bd5a0c820d2cef17c1e5b5a098b0f75fb30d0d32ad26e6c2e379e56e50be1dba6fd94f2df8bc2762bffd507be2c70451f8ec7dca678798

memory/964-1649-0x0000000000400000-0x000000000041D000-memory.dmp

memory/212-1650-0x0000000000400000-0x000000000041D000-memory.dmp