Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-z7apra1bnh
Target 2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock
SHA256 6b7c23e6bd017b5767293816a0f2ab3f131e689778774b2acb506bde1b59df86
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b7c23e6bd017b5767293816a0f2ab3f131e689778774b2acb506bde1b59df86

Threat Level: Known bad

The file 2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (87) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:21

Reported

2024-10-20 21:23

Platform

win7-20240729-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\ProgramData\HsUQEMYI\DQwUMkwI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UgsgoMUs.exe = "C:\\Users\\Admin\\pYQoIwIg\\UgsgoMUs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DQwUMkwI.exe = "C:\\ProgramData\\HsUQEMYI\\DQwUMkwI.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UgsgoMUs.exe = "C:\\Users\\Admin\\pYQoIwIg\\UgsgoMUs.exe" C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DQwUMkwI.exe = "C:\\ProgramData\\HsUQEMYI\\DQwUMkwI.exe" C:\ProgramData\HsUQEMYI\DQwUMkwI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\HsUQEMYI\DQwUMkwI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A
N/A N/A C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe
PID 2016 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe
PID 2016 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe
PID 2016 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\HsUQEMYI\DQwUMkwI.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\HsUQEMYI\DQwUMkwI.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\HsUQEMYI\DQwUMkwI.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\HsUQEMYI\DQwUMkwI.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2172 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe"

C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe

"C:\Users\Admin\pYQoIwIg\UgsgoMUs.exe"

C:\ProgramData\HsUQEMYI\DQwUMkwI.exe

"C:\ProgramData\HsUQEMYI\DQwUMkwI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2016-0-0x0000000000400000-0x0000000000459000-memory.dmp

\Users\Admin\pYQoIwIg\UgsgoMUs.exe

MD5 d80be314e463944ae12698f88eee03a8
SHA1 052fd9ccf32e52c769d0ce8147be7d7ea26d962f
SHA256 3d8680d6679f280f5edd7552713393acf56ff1a32aa08ed9e937d5ad73ee059b
SHA512 d928b7e923ddd85ac89173c11ac4f0597d889dbec267036ed794334464ecd15c8f9289e2afcb3bb1220a57594c3d1c60333d3e45bd101ed81bc344a47f669882

memory/2016-5-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2436-19-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RWIocwcU.bat

MD5 72d8f984a3a06069a2dd277fde7be97a
SHA1 666d719870cbaf186bcf832f5cc7b319904ce75f
SHA256 c87751f83500347502cc426ee94a602980c0ce706223144571211b8144732b4e
SHA512 ed696714a820f75b96d64b200f22ae9c6ec43785240a0f0b84cf0202e4aca22b02c61b987720e075ca3db48ce7e91e53264c6b4af917a06ebb28177c818fe483

memory/2576-23-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\HsUQEMYI\DQwUMkwI.exe

MD5 69e3606036ee01fe7b8c1942ccc623eb
SHA1 b7833a8f31f0581738f45533bd9763e6206ca4ea
SHA256 b8facfa5ab5e96f6923cf2cff5ec4e50fd893199bb575ab5042bba3f3b6f78ce
SHA512 743d9d9d385d55442afcce4aaef9366e2f0d77124f4893e6302ebf19448287260f0532538ae2c0161907642ad5e949d7b1ec4055f56f014c76d6717f148f8dba

memory/2016-20-0x00000000003D0000-0x00000000003ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

memory/2016-35-0x0000000000400000-0x0000000000459000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\Aosw.exe

MD5 4eb2687f95c64961af095f8c45893e78
SHA1 8743c26b20a5b584fc762f3bc7cf7dccdaf47ea2
SHA256 a685301987dae5fb6cd653d1d2e1358e6b4c722636b585b5e5cf91ee1ba9bc70
SHA512 c390fc7d7f57fff9c06483643b0232882307008259dc1110d307040470e0ed2335ff0579df3ef283db161ca980b34f1933c99475b2c40d8b4d3e06d63e18c096

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\UQYk.exe

MD5 9dfe46017eecee9e7105dfe9c539fe46
SHA1 f92793ae623fa941caba39550ee0bb557d3bd00d
SHA256 725e04c963dc76d0b4e7383f262a9f2f1d984ce511568a59dde6f23aa5868f79
SHA512 2c22f6337f4d81d77ecafa2a11259166d4a65d68f13c852be8cc306e3e1a1eafca9d2df349acbd381e16ba8c3496189297a31d2356e37d0d3d546be341318e7e

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 0bfff275f8d15d727622dca47d6980b8
SHA1 ea0f998444dd7160ffaf211ae92b41c95b6548ff
SHA256 b46b79fe8d56b3dde4d2f3d794e284c2a6856395045fd329181078b1c17918f3
SHA512 51beace70207b9e08b2b77f2f5ce1c51825dc14279572be37fab4f46c35ef6f37dacbb205e0a9d25e779d751720d2b59ac8082b8a92e1aa19673aacc23dde82b

C:\Users\Admin\AppData\Local\Temp\agIA.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 be98f9832629e340da63b097b3d43779
SHA1 343ff35038317bff409a3d296722206506ccf46d
SHA256 24b427049ab014e34de5360eccc6add4bcb734d2881cfcc0f166168032f669e7
SHA512 ea5b3ebda5dd59c173349095f922ca2b4f289c02a5071af9cff529d88276affb6e56f0b88568f6c29ae1a046d3a5cad694b8215daceefd08899a5396592275fd

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 770aa1f680a00dd8afbf786b52ca6e7f
SHA1 70db472c734442869e5dae4cac4be15278119c78
SHA256 3bcde456a738a89f6236a1aaadbdd0b633c29eb1376c96dcf9b0af46f869dd94
SHA512 89db96215181e3abde2af3c5a51412e1bde0aa2b48e8db8258a01753016174662952bc2e09505584a7aa6fc4bb9b6599215cd9a8062c9c512b1d79c6a6df0326

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 af1b0d4284e4f05f00a204aa4ad0fc47
SHA1 298f0a2a38725afc4338a67cccc4fb9c2f133251
SHA256 7e747b762e7a81dc2dcf7295f2fca1e7c50625c5832852fcedd29a8ad54f535a
SHA512 8fa5bcbd69e8ed2bb523474892bdab4da8295887245cd14367d08fc81a0d6e9825b1222572bbba09b88aca6100adb1eee8c7185a1a7538e98a5f53f254f8dd00

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 c577c4b49d41a4e47f29c92ddf478783
SHA1 c7a70c43e2690331839de83933645fa7f242e17f
SHA256 d5f768ddbf5ac34c2eb825a8552c9478fe62a47ab8a68c9b18308cec6dd39f41
SHA512 3d5a92350499549cf91274ccc488b7c3334ba3db811b46fedec312f8eb68b4dea70698d75454740a8bedd8f48b59bb727d707062b460c389de2c09cf44027797

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 2bf4f1a74ab0022d3d04f7070f0403fd
SHA1 3c9c4c3a9437efd3a3aa0bdb667d7974997513ed
SHA256 2618667fad7a84c802425f9662ac456249f4a84ff776cd24a0d3fef4eb675aa5
SHA512 90a893e8151a4f9f5360483f3b7edf1b0956f3e7f7573ff94c302fec735225f0b3e56b2b1dd1b230b5987ea8bf36422ac36ff1066ff081d0e960f7eff2567777

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 d58e7b9a8a269ae91007436f38d77dfc
SHA1 91833f6fd627c62476e7d381577fdeff41caff93
SHA256 907d44d009f5ab0d6727602ffcdf07978b6b278f8f3b6d2101b85f5ee596e481
SHA512 8efd016d2dafae723d148b63e82485fac986d5c9083774b97e692080cd1182fb3084b6a1e698630edcd27f10496e8f5c7f88418038837660b5e93c9a6dba7688

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 967f0868f2bdd4faa156bc37e0acae4b
SHA1 ee3a6425cbf08c6951d38f95272886206640b608
SHA256 e3edf06cb5b129a26db36df6d7c1524b41c886cfaa012034964187910fd239a0
SHA512 760555e594f2de12d03bb6f1128e11b3a6906f5bee48678156411a47a39e6c02ca37bfc264df44a39e1b0ad5bdee2cece42e539ef21bf6789fd1c35ed8805f99

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 8b136d92a5478245f93b41088d1d414f
SHA1 a03cc429575d1a7659d5e564bcbb7693aac32cc3
SHA256 4d7f18710e93616f2f8197895de82319ba710f114796613142079cc1798e068e
SHA512 b601744f7bf95399a3832ff2070023228c949964670bbd91d343740752320a2a131a259b28f91fec360f7d5b97e8e33f851073cf963439a9fc315a427da75abc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 d618842c0b8969feb744b8a3dab92603
SHA1 f5208b0d924c07c65c349142c9e7999eb72893b1
SHA256 e6c41c14e8809e05a5c1054a38e15934c3997c932d1ad3699f949905f562b3ac
SHA512 bf879975031a5ab0f1030f58e522dd36841ba79decbaf33d69a266ec4a8514e41c342440c454d02bd1b00b4ade04d8ca619a5597decf5729bb25887aab67e190

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 73bab283f3502b46a3bedd3cac6b2dec
SHA1 1ae8b8c12f760d51ee76f4112f0dcad4e7585ef2
SHA256 9ebcc82d6fa3670e496704d02dff6b267bc9c47d488cc84bdd1cca07c095558a
SHA512 6d006874a93061bdefe64d850b17689a9dadcfc60c39e73493e9ec2f64a79fedaaf6823afdf60a5f9f39bfcd8867ea0bb7fe40faf1f5b30be8300d34c8a4d305

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 973d4f08be37a151a1db05b983041cbf
SHA1 7cbc066bec1eb4d41fb9f8c951d18473a4b893ee
SHA256 f9ad4735bcb834ee768feb7f63dc773cbc900b3e5259795788e795ac4483df05
SHA512 ad3eb2ad80990525cb483b669055247cb423e2766d8a165345a02590217b9c8b54497dc6b3a480e37516d7ab3663ad73eced23767ad95c5fae854f04b08bca38

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 bf024a02cfd1cdd536b4207cc0a87511
SHA1 3f76bb5ba049147bb3d4f81005cc3c6fb0e9d8d0
SHA256 10654ea79bf8a9e265637c4435f7f92fd8a2fad3342fcd7165930082b9fd5b43
SHA512 ca2388797e678151622134a2b8feee5a74c7f5f36a9052a9d74e3e492cc04ec89aaa73497f70a647be0b81e4e6d8021425beae18b43c00427b1db4dcc77cf720

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 8bed2af4429fbf20822b1cd884539b73
SHA1 b4a22e66415499664f7d191e2c3dafe950b260bd
SHA256 7745710981f2e9ceef9785e84c8544c4ea246d0a25c389dc284a4f9aafdc0662
SHA512 b9080325e28da7a5c220cce739368a4361ed8208cfad10d42c0fa5abe67a28b84b3e2fec72e5dd8822a68a8df95a283d53fd7a32a26102a139434ac90b81f7a2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 1e5c469a4c668c978e977ae1ad480508
SHA1 96f140f482e46f27b83a731d86664d9210a83eb7
SHA256 50a61bcde813a7b297e048a80957d6bbe7fe64d314d10d8272b2baec65ae61e9
SHA512 f7755c606b4c845e487384714f8f740ee614597b99b6b6c9aa97dbf171991d5f34f8f1e75b19f61df2486e34ad2e61e08c6c5212e9771c6cad4f2f74e08e37a2

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 d1423bc78dc4cf42eb49179e17567edb
SHA1 82e5099878c99b1bac451daead6672c05f35471d
SHA256 fc8e75704098799114604e6a368598e8ed1f31379a4d8fd953cd5dcb93c559c9
SHA512 7f0971a90039456893653a430650b7e4087c5006f78541380b6cd4519916456803b00a92b841700f4fbcafb9df3c8c874a0565427e5505428f350352d3a1e1fb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 3a7859dd0b6e4d12edb70a37b876c033
SHA1 dca838b8c4f7b87bfb5156f4cfed1823e046799b
SHA256 8837959b3a62b339d3166f55cd72b20f555a6556570ad9be1730302df0f29971
SHA512 d44d33cb2f8a1a52e3e2e0e68307e34289b91f9a44a521459ec8e487791be708fa835f3eccaeec431845da5bfb61ca0893b9aa06e948bfdec54d78862d48e9b7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 0f451a03c66a2043d6cc22b9eec3208e
SHA1 1edd1febe432aad174363490320e5bd37fd52c60
SHA256 e5f970652daf56dcb52fcf5c9e2b1899b204c5108b7b8f641cdbac68a6572d11
SHA512 250add5d7d81f2567e6d0c0d2113ccc234954e14895dafbc13f034404810f4199edba660e729c50bc164254e7350815b3560465fa5fd7fd08f58815c26124b91

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 70e645e39e2c7e1d9d5d873fd41413ca
SHA1 62a6da90b38236386162ab918f9f080590f04013
SHA256 6e811fc4c567e126fdfb4fea84fe9a73f15a91c42f525f9934c2d1f26330bf69
SHA512 08af4549fca0dff75e45f3923407c802b726080cfd245d6f28d213d24b6961c8e91172b8577b887d075038bf177aef87c7d5d5ed208433889d79d0ca66a60e77

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 aa77e570d429f6f44b12bb06fb82588e
SHA1 aebdf9f6ccf442d2723944a65c54d503e74faa62
SHA256 1bf8c7a8e9bffa7379174c19cb6e45214b99660171950dd266a82fc942f88025
SHA512 12f2fa66695be396663a346cdb1ba9660072e1b3a6617d81eb126d8bece1a38151b23cbd2817e2973e24f9e8d88ace92e57da3da4860fb043392979e918c848c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 307776b4d6720a4f883a38a0fbeedb55
SHA1 acdcfe38efa6f758dfc0a3c51ebd3b442dc75971
SHA256 f1a4e02bed729bf1b8c75007fa3f032982833a1a118d539796681dba6d225ec3
SHA512 403ddd8f2aa3c46d3bfc75b75fab1e5035fcb6d51a7209de0492f7456118508b990f2ea29415db77bf0bc1f81f3965f674fa938076396150d46d859ba46220c7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 5dee53e852648b185780f873314a6154
SHA1 a8380850e141c4d66d213dd841248e8f7d686fb5
SHA256 c08cb4e9fc7941012309b9b0a119c9bb41f9c9b57d9d7cb5eacd2e26a2554fdd
SHA512 3c93b418eced93fdc27d6c3b0eb4acc0887a87b421180aafa083035b8ecaf54733187ea5044de4e7c34bd2b2c5e5edf54f3e7506d97aaf616bfd4da5a5e274fa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 c324e69f4fa019bc766e334a96ecb594
SHA1 3f5ac9c507295bfa2b7eac42dbc14e6be7c12a19
SHA256 57f4da59a7f590de396ca12769cd93b924257bc579b7733f38d1968ddb835d13
SHA512 a6fdd476895e9d11a50a880b0dbdf1a4dce93e2d8f31191329e66aa7bb617ffda005d03259cbf70b7fb9a99c4fff9a9ac8e4b6ed795f1fc72db8f0a26bc93e42

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 d0877efdab74230c099a9222a3a077e9
SHA1 483c87bc966e2bfb10ad674331624eb2051674ee
SHA256 aef3ad6fd8a92ac2b5d34578eddc00243ca770f49b3aaa4b0d20b07336bdba44
SHA512 5b3c28062e54ac3b37950ab2abb93cd65e98073c981c3cb8bbe1c58c2aff470032b14f9add838332705f8c56004fc599240345489c6d43e228aed86ee9ed86fa

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 2b796b9ba743739f8b1354d06b9b3759
SHA1 73a9de3195b33f0273ca3faae6ecc5d77bc239fc
SHA256 e27281dc6f78209985ca106124f0b1234d941622fa4d82921a8ce9a02b6c7482
SHA512 ec096f3108c84f37f9792fd239ec81bb06dee7ae111f664d000c9077698451ce43672c3214f337c0c0b620ea90b1eeda80dddaa4b45d74c68251d21ba449e82f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 76ee2c88082a4eca3e78dff8157ed5a5
SHA1 1e5e094d900cf4547c8624bf5f555eeba92ed7e4
SHA256 c16c278ad97dc2bef4630e50e09170fb39b289ca96057c21a6dcfec0ca8c956a
SHA512 a26f54363d54815e49445c9f18f2b10afe2c0b378c71c34f8ab59c07ef03d3acd2464734cc208f3ab3bdf12ef51bdf25e47da113337bd0935170cf4ccc27bb6b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 67fa74b4552fb4ceee4618936861625d
SHA1 a2279c110bfb7bcf49295a0c243046dc8191ebba
SHA256 e1609bffb5885e3a2e037c7ceabb13e9d4e5348378bfbf09afbfa6659ed39cd7
SHA512 5290e095fcc5882838435ecd32ad8c0c8a6215627a4306727a27373a5e16ba3b01e58f2b72420d34ddc0ccaebc3f1fcd1b927ce53027d2ff1dfd55a4391de82a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 1afdf5ede4c3130577fb5b688adbec95
SHA1 4ee7c85ee5382c46ee47c9e65d81ec7d31d00af1
SHA256 3bb39e7297b299eea1a769182aaf80d14d9460a4f515e9ed3ff075273b52c771
SHA512 59d2aa37d270d184f038bb7fc93f5e29f11e201d28b094c1b57d7cfdaf3848f13e6f61a9b9891cbfcb6245cc54d3309d51b4c81431861120efe6613c3fb44dbd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 9b73d09428d56db298adcec73e605a9b
SHA1 2b8847d103449b38c140b3421aabcc51d2cc8fc3
SHA256 572bec6c38193df70af16961c368a32a8aa6fa8d2cdbdb39dd2f313b55e951e9
SHA512 9c42ab17f73134dc334b415534c545e675a2205d6e8d8f6838a544c912256e1d62b63cc73ce7a5823b2b16ad8e1dd5b01e8fd6190c1a9ceddb83401fd4055b93

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 a0f25e140f3424d3dbfb06cdd5db761c
SHA1 c24f38fd86dbbddca738dd18cec1357e6167373f
SHA256 510bc707a5557cb246ce3794fec4559c804300a8f8f3c71a7fda4d0a042bad6d
SHA512 acb76cf8f9d8e4ec62e5af3bb76fe1851863987f2dd56a0983b09a8abc2a2c45d148e5feedd39d5372d1b18319751674ffafedbc5c9a74d3117597f744cea3ad

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 af535a3143679135f48907354707aa08
SHA1 a348de5708e03dd95595d1b4bd6639dcb4de8bcc
SHA256 5fd623be41e75ebfecbb2650f1467d76c2015d682577e26975eed9ea93a0ce4d
SHA512 8be2a868e4e19dee06d4af431814b806e4227db4252657a16e851e6240e2e75a71ec350a15850b69a3e907f4eca06e7071fc9fde112beb78cc04cf4a0076e00c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 5cd861a68cc897675e95a735dfb07cf1
SHA1 b9d82c56d817483cf7822452b2661d82a1be2dac
SHA256 46c0d1ef396193ca442bbffb98ff07b43f15332d485a252ec9bd01c725f4e1b5
SHA512 92be31f1f3de890e49763b4f45e10df863e8e2532ec7b7215eeeae2a67f2eb2197d57d284a9add13c3d53cd069fa47bcb53014915c35f0ca2d8357ab1751209c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 2e0ef456e21b199adcc76f5430eed5ef
SHA1 0e5b6a0afbecd6aee3917f6a5c9fd8c7941e2208
SHA256 c74fac0a55d87bcec348120ebfc90679908f9ac5723bdad41f3fbd1247e91f10
SHA512 f6c17db96325bbaf8e563df2dc70a818ae4ed05df00eca52325fcd6223a60e60b22641be840d5f0b5f2089b59a8678d8955847f3d9ca6c55b046f802ebb02059

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 1ed11f74c0c91c053343ca9de2f410a1
SHA1 5be20c48034e8b33532f991d8254a2bef3c75413
SHA256 c324ac41a8c30530d4a7898ead084c75d1625e4af0f67c1d65eaf76a1f360797
SHA512 1c36313efa4894505dc405a0ab5d9479a52e5a7496a9a0662b3fe696eb173f08e8f964742b84360eac3d26c61126ae7e263422447543b3e68737e0ccf00be6a4

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 74b19f276704c6c2de19601c07aeafa4
SHA1 0c09295113f3ed44338130f28dac2cbf0a85e271
SHA256 01fcd7d4b0e9fe624a5c1b0a53ff12d5b47b1b1d2c85965de4d0d5893bee3e03
SHA512 4abf209d19e018d1953ad6d8c63da2e53ca471292735b44ec581fbeee34c6da8e47b7c1d7df9558d2c17e42f4e4b310f6a06608929b24b8c98e1273835c14522

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 a6ae5978ee6a99afec36e66252c54935
SHA1 34facdc117ce1dcbde2c86c59ee0cb9dbbc455cc
SHA256 2b204b7e13f51b3b041e8f6d63f289efb2c143b552024cbf5cab994352a212d6
SHA512 75b4f2a3ce1ed0ceaceb556aab5c22a48f25b17ff1ccba526be6a5345f3ed190f115543c6939f51d148ab47c2e5f2e02bd1c03467a2da363cd90210b50d927e1

\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 1191ba2a9908ee79c0220221233e850a
SHA1 f2acd26b864b38821ba3637f8f701b8ba19c434f
SHA256 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d
SHA512 da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 a9993e4a107abf84e456b796c65a9899
SHA1 5852b1acacd33118bce4c46348ee6c5aa7ad12eb
SHA256 dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc
SHA512 d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 8e4ea127302cc79c5e0df6140d23cb33
SHA1 c211bfba7aeb211c07f84ec54de69dcc9fcca38a
SHA256 d43b16769b84538b63ae3e0fab9273af4b495b24bc2e1976235cdb841850aa05
SHA512 c5ba0a76acabccaea9139772dbfaa3bcf12bd298d09ffc37795b8894b940c43664d88f1e303cdf9d4f5c74aab05171c9fee1b5223fd64fe25a32ac94d68aa6fb

\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 3cfb3ae4a227ece66ce051e42cc2df00
SHA1 0a2bb202c5ce2aa8f5cda30676aece9a489fd725
SHA256 54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf
SHA512 60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

C:\Users\Admin\AppData\Local\Temp\KIgg.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 f71c202e24c6eeadd569be74410b90ad
SHA1 d9e3ecd0dfe39f28ef9a1b441b338f309557f502
SHA256 3428324e58846161ec8ddf2af83293067b687dbe28ad92b0e50e71d6e15052d8
SHA512 f220b6641be29c85d1bdd38bb9a3300251e0bff949eea690c08328d6082a2f679f27079bd16d64cf0bf3a9122006f3d4564467215bb100d9cba87f7356ad16ea

\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 ad541da26d316ab4e14178c61d034dc7
SHA1 ef27b18d3bc04f4f56d716bf643dd39e443f049c
SHA256 19ed3668f2022808396499c5ff72c01e68f11e581c64e206ae779ea5f65082d7
SHA512 c3e0bc3eb049f1d0ca4133095da05016c0482724d9cb02743a3c1ae18e520c39460fad1276e5489e9a07fab3c3eb12cd62582e0a9c7859db3e0fc78f3d31c346

\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e9e67cfb6c0c74912d3743176879fc44
SHA1 c6b6791a900020abf046e0950b12939d5854c988
SHA256 bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c
SHA512 9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

C:\Users\Admin\AppData\Local\Temp\MkAc.exe

MD5 df99747c878ebff347693ddcd39da2b9
SHA1 95a5970750cbb4b42d94bd2903196cb28040a705
SHA256 5d98f4adfd1deb8a78f9fec632b4dcf90b0859f671a734c2f9341285ada2a7e1
SHA512 257e2dd289136e0669b634a125bd1a1575a339eecfbb9fa25e2ffda105267486646d11c7fac2acff281aa031d78e75142570a247dbc34fe9fe3d0c62c30fc6e0

C:\Users\Admin\AppData\Roaming\CopyUnlock.wma.exe

MD5 82ff33975a36d1eb5f356aa2bd815a20
SHA1 cb7df7c09a88fee88c0fea9a249d98f985420aa8
SHA256 4a699b11fbd1eef6074bc99a8c5c4537b0147c77443be8c145eac11fdd50bada
SHA512 b2c327cff26b32371f3419a54d4ffb9a8a757c7c72f147d39fd3e0a08c020e24922fca8745b4a7f29cb2ecdc373cf282f0e80af5eb9e97e9805c73e51f51ba70

C:\Users\Admin\AppData\Roaming\JoinSwitch.rar.exe

MD5 4ae8bed3e3112fe6392fa1b67e7a08a2
SHA1 61363a97f66b27999bf6d10f19ebdc379165ac8f
SHA256 3e2d9a3b8be71d3fde433df305d6b0378423d86c3febbb52434cd4ed9cce0d55
SHA512 1757f51cb29c822aeeab0537312acc3e6d26960dc44d26baee3650f41a24b6b745d962b9c7e47880ca502f56a6b455183ee29577c15da25a4bf3f328a5fcdbe7

C:\Users\Admin\AppData\Local\Temp\ssgM.exe

MD5 c13ec93e99f75e74c7fa19f1dca61292
SHA1 eb2a413fac13cc69cee8c638748d3fa5ba6da9a9
SHA256 685d4d8c91932541ce64a9e645e9eda96393aba881df1e818e3893bd6a5795f3
SHA512 8024fe639f9b0a552dadf4fa7ad98645235fbc4e00a5ca30cc548de730de47a82b0386be5beebfe923f0f4c7933739999721651a83d459b9295890b1771d3f88

C:\Users\Admin\AppData\Roaming\RegisterSet.exe

MD5 7d3886d2c65e388d286f7cce926a123a
SHA1 3ead8709e16d9b216cb09557ea1282f72c42d798
SHA256 c115ccf6f0df8e2950f2f5e622a56228e156aab60f7a68496940e01d16cbc911
SHA512 70f201d4574059d23956686fd8653fee1a60402129cdcd44addae7b3a0fad4fd824f09bec74ad1ae262d37f8ac5591c61beeca4e2754dab809e5625efc073820

C:\Users\Admin\AppData\Roaming\SearchClose.wma.exe

MD5 356256dff2f6352a7fd1e52a59d209a6
SHA1 ec21ecc59994576f8a216ede2bb790c9ec08fd59
SHA256 282d1f83e1fc5bef68810c3e4dfd9555200706e6349b7f2af7aa4aea708dc357
SHA512 3e82ac9bb056669b5ef5a8fd49ebf0d98d5e83528cd8eecda25239a27e577272364e749582b11ef2d4594167c0e3fdd9c84602ef73f5e92112587562d4e30214

C:\Users\Admin\AppData\Local\Temp\agse.exe

MD5 0207ddf2998e052353d69408a6dcdd5f
SHA1 f8a235f1ae417e6f5bce45f34880b83ca8b48818
SHA256 39d0b684e4de709fba8c4a62b6aa7ce6c2dd4df525ab18009592d2878290766e
SHA512 8e6a4dbaabea4a9906459419eb134b6b2ba350be4fbe5fa749523763942062bdbfba41e1668e7080e7c0e9c9b1a49477174dfedea5cf23fc8cd3c86bd1eedfa6

C:\Users\Admin\AppData\Local\Temp\qgQg.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Desktop\CompleteSend.wma.exe

MD5 d22bc82272e649a984fb18030065c6b8
SHA1 a626a93271977215399c9e35a57c8fd74bcc5000
SHA256 00795ac47fbc90671c82f34de4d3a5030bf623d3a010cc70c7af8da671e9ae4c
SHA512 329600bb2384087d6fa72729f6a13f4b5c2f593344e96b754ddc427e6175e2fbd63c242b1598e65316520a4d26d566ba9ea2900b70c3bc7c0fa4ce0cc858559a

C:\Users\Admin\AppData\Local\Temp\awkc.exe

MD5 a7e832e27aedfc77a9c23fad8ee58b72
SHA1 17998b45df37362a8c1b7ff0de37b8e35a725e53
SHA256 1780882d330145923ec94748a6f30f510eeb137fb880987394b625f3102489b7
SHA512 6753d6f8b8a83b5fdaaedcd7c89e2ccab822077313d9a5b48578b496ab02c47b83983bcde5c7861c3fcc366c3fdae8bb5137ac44d5e7676e1c26a8899e150a04

C:\Users\Admin\AppData\Local\Temp\accg.exe

MD5 0925f7572609a35837b5c3704f1fb9e8
SHA1 d6d82ad14d074e2b2af94a9937bf216cb710864a
SHA256 9a981fc4d6523cf2147776d731becfd09a7dc6c67a5d69c449390c1c38a248ac
SHA512 f06a594f67d9286e260a67271d10b17e39c6e8ded504d738a10cb65f340ae0d50cfc9b39e1d5624a5f8b2348233e27ef3e966112fcb82dd9d951cddbf21ddec2

C:\Users\Admin\Documents\MergeCheckpoint.pdf.exe

MD5 e821fba4c321931f2ce005fdf2045d07
SHA1 5b1b8694826ac1dea98b6ac0fae6ba19d1aa2823
SHA256 5ec5492c8a901d90dab6165946c9d1b54735c85cf58b51108aa6e9586236f318
SHA512 902f2c13749d43741ab74a39adaecc096e36a46900102906d4694758a584860bfd98a238401c54e37827abaf595522d497a1cafc1d34f133416d268fbe00a8b3

C:\Users\Admin\AppData\Local\Temp\QEMI.exe

MD5 2d91b13f3fdc571ccb613b530b1463dc
SHA1 274610af0b0e870ec3415b25fafa65119d145dc2
SHA256 50187e7f2402b9485e0dd9f9fa33e74f8dca8e3de3794bbd373e37d4e8438d14
SHA512 f62c36ca3f5203fe395ddee78d68502ba1c27e750eecc59ef17843c2bca212dc95dd6f00648aeccf6c81cd45d297966463aede97e48d47dc2660966638949243

C:\Users\Admin\Documents\UndoRepair.ppt.exe

MD5 b6c1f8a136ddfcafb86cedfda85bdeb5
SHA1 630812a00c1db27e810d75f55b9fd6a4993922dd
SHA256 1ab7c10828e8cb7fb423f658d3196d9aae819a3804a0035b518b9364af61e825
SHA512 747c1e822849e7996863839a7370bd0ca0bfa0b8bc450d481404f3ad8fb3120664457081124839857d37dc35272d169042bb2ea8bd65b1cace0772b596b4f31d

C:\Users\Admin\Downloads\GroupInvoke.png.exe

MD5 8b81c9517fc1a5eaa3f982872244483e
SHA1 36d2b367e9f6efbabd07cc5b5825624655932258
SHA256 c3637d7ae3137189180d19076c81a63453546798988b9984358994f0a2819f30
SHA512 a6794a46a059506dd13d2fc78d1677fed2b1c9173445a38985f88d646fc3ee6f840d1e8b6b68d9aae3aa3ce22ac45090922ec0e45d6a07e010e1aff109525c04

C:\Users\Admin\Pictures\ReadOpen.png.exe

MD5 adc39bfde3a06056502a7ae92780eabf
SHA1 24b31467e7dbc37277a503683324224ba693bbc9
SHA256 f2c1d39de5eff97b104b1227d8ee9c5a3ea895cd5543a3c54ba0697fe07bef14
SHA512 e2b7605c06d26e6a30ae1681b2b035cf5d17c7e2601b8ccc9c0ca605289eecbce6fcb130b686eb2eba9288c389a698c7eaa8872891455927479f45a432c2d56d

C:\Users\Admin\Pictures\RevokeJoin.bmp.exe

MD5 33605a3b45974b79b90557ba709d7bb7
SHA1 cd13757f06804555707a3ca1183d2259cf02b336
SHA256 84c8a5a401a134bee2678ffdcb070b6c1ac647738988ee6d1c2c164118433a55
SHA512 ecf7fd602a6069bfda5ed935f6d9d890582b81835194ad289807290d5a2d9496422f9b1290218e04b2e68e4a5ebc34d64f9dda80f0de4bacb88ae383b93645aa

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 120b62d770531ecd3e3459b712334fda
SHA1 a91cb1797bd3f17c75d3e8c90a18fc405a9d33a9
SHA256 dfbeee9367ff654c37ebcd2657cf84ce75ac0e66d5abf5e17ef018789120e068
SHA512 a67c41e53d39387831b6b525345d960fe4d27f00b0ab44c715839f47f45f88ac3b153c2e33e42189b9db5d6c70fd69506c0276bc0786687165633690d178a66d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 f5cfb10a5e37cc4e5420d3a76b2b5bd0
SHA1 e8c4d0df03876a5851e5b70aa7f68fa6d0afa8d5
SHA256 74f2e12e756a54bad913152911b850a5fd10efcee0a8b4a8521aea9210e66918
SHA512 b33a375141dc09ca5d408a37d60a07fb56e1eeb35483d2ff7ae01c6d61208e25b24a9108152adffdef60b59bc171314989f16f0ac09d236b4a7f873b8597c6bf

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 394c293fc33ba81b83034c47b13621f3
SHA1 c11abf5b0542758b9fb649b87ff45511336bfaba
SHA256 5009e27e1df0c4493e57191301797fa367de65c5f3f33e9e5384831d15333c1f
SHA512 410c74a892bf23e23c99873dbb5574fb8ce0ce7d6940bf2e35fc2e633d4da3beb232256ff22a00c893004868fcd0e1fe289e937ccd46fcc445aaa59c30238ffe

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 ec48d53f66ec990a20b40255a5468e21
SHA1 d1dfb55a0967a061747738ca9c9ed70ba5e8e99f
SHA256 5d73e2e4253dc4bd4c5a7e4152dc403c4b9df379a2760230098d1053299e45fb
SHA512 8e744c1c505ab8a699b7063964970360dcb1926af7d9221f0901afe18f53b04df4ac4079f6d8ec0d6c92500ab4b741baf5c0683891876bcb150e3ea1359a1a4f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 b1e8416769ce3d5a0c2c8abef85d48bc
SHA1 2b225eb7bfdf07c2197ff96097feb68fcc7df35f
SHA256 bcfbeba13556efc2a6bbe0ee4a3e84041bc7d1e59bd92e07e8fd9d886c3ddd2e
SHA512 227267058676f3e9a41b329dc245174f828a481dd8692c0147e0f0fe2087524af8740195734fe6acf686300725d7d9a7c8791f70fab5e6c54cc87cebe6caca09

C:\Users\Admin\AppData\Local\Temp\qYQY.exe

MD5 62aa821bda2af96af358400902ef72ee
SHA1 18fe329fa1399ba82fdffe2c52e0c2587364c3eb
SHA256 f2a0a2ef3b09baebef5ce18d5876e466bfdea522af237bcc84be3d4cd891604e
SHA512 f58f9908b1a84229b69cddd2cadf73505610dfa2150b890dfb75e47e9021391b41403073e30448e280a55254632727b262f964609ae695da9397c37aa6f5858d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 88122121f3398b6281683ab7e9a9080f
SHA1 1cb77711571fd667b8d8c6fe7a96e94b0338d70e
SHA256 c26dc1ab93083d07faeedabc885d8596457b8517eb7555bd992d07bcb75a7484
SHA512 d09922b5298cbbc4456ad35ce4073fb5a2cb7457b09bd6561139bf68b19abcae4cb92b3bd3006536bc3ad92fc2121fcdf8ae0a25f78813cbc00383e31ccd29af

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 f80de9e93bbfaf413dc9e23daf227eab
SHA1 4cce7944ca55bc7dc75fb662d79b23aeb849abb2
SHA256 ca87105bd11b7bf827fd8d8c594b9388d1ea003decbb3888f5cfc633f52fd7d2
SHA512 39d3f6bae8196c58dcae068507242cb6df48c4bd9066e3873c9c91e9a99dda872a40c6b3901a701527070fa549a4ef35b95efb3cfda8aa6dc69a4da5cf82a3fe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 476afbcac6ea1e87257067ff99947e58
SHA1 434db42de05e8178bd9b3d1c0162a0e40a7a7e6a
SHA256 c4fede959f4e5053d6d1c083de5047d922cc7a749e4493f9ae76f6240c97c60c
SHA512 a164e715e7881ea9d33dd45837f4781b1521ba870f24c56ba4fc827334ee7d322ca0ffed3f9672d6a100e0536827f6bb427debf4ee29c2218fea7e3668a8fa97

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 04230cfe3d6df50163265cd2a6fc8798
SHA1 b7c655ca7d41ee49903bed03223109084e7d301e
SHA256 1d101f0807cbe9d9dbf0dea02cfa38c6dc88f9ab8871e620a7893613633bee95
SHA512 4c892e6823131c6a3f7fb8eccfd3f5eb471227353063dd32f5c15172380fd5c696e0c18e62546581bd01caf3b6eae8ecb754fc19596552141e88510e1533e57a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

MD5 2d8b2fa965b620bdd20743c706423c3b
SHA1 af00c75d90472cb4d1754d8e15c7357257324354
SHA256 d458947093926e0bf82b1f9e321657e5729205a01be3c0e8d743635e86b8a4dc
SHA512 ea30acfa0c46062a4f91ba717762f7b743a0e4c9030e04ad2193cdad52dd5a02fbc15b5cf290db5288bee9f56fc46d6d0dccf4b2b902c82f084c71864d0f0abc

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

MD5 de97f101b7888e070a3a211e1cd0b48e
SHA1 8826791dd3cc0a0574dc6b4a027980b932605adf
SHA256 e50f632c8be9d9500f9844b7a87e9a039294003619c318ca8b69707e0fc704e2
SHA512 b1522c1545e87e779188b6c9b885231b2926d6e8aea384ab73d18931648715dcf788e7fb178cd4d366ed7ab93d0121ec5e724c4678406771a7db8e455c5594eb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 ae434eddb877fdec55546430d397acac
SHA1 39706d08c7dce285008a2452bc78080dd3c84d01
SHA256 56af2529bbc420131f18f94e9043ed59b2c4c50fc5e216c77fa42de0f828cd88
SHA512 eb73ec850a6e5ba8172b33ce38246db32ac1880ef208b367b7a43bd986b44005942bfa28d88dd85c6eed1313d164f03d4f7b408d7fbf4f6e8f1914f21c5dbd47

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 925e20f978f13f9da29f7378e847dac1
SHA1 ae812b82441de28def7568a08dc46336971e93f2
SHA256 1912639606345fa0570a2c6164995f7a699e73395e004bb9f10f0da9663ef33f
SHA512 3cf235297dc786414f9b0545a6b83a0ccca0b343bfe64ada0085f514d7cf6f9335900d92450fbb4820dc8de3365ce49ef816d1547a0b00b67c455681d8b86cdc

C:\Users\Admin\AppData\Local\Temp\iAwC.exe

MD5 1e76d1e3f5cc0cecc415d239daa64c8b
SHA1 bd6729a924253e1b2e52e0f07808c181a6bc7f48
SHA256 ccbe9b0e2a03cd86e053f0c02ff6eb1fae13fa733167630ffa1796e3686cdd49
SHA512 c1f25f11e6c3939a5a9961f449c585b74206958053ad252b823ff482ffb8256a2e8416c86bb01609569b6f1aa459428cb76aefe592fe142d782f7407a7fa2b6d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 c199d368a267e9fa0e29dc9c87eed029
SHA1 6d329c05dc3a21bd652df0ebd06a509b8400c7df
SHA256 54cf4abf475ea392240b1c12197c7decd0eaf83d7110ba47dfbbd1207ea413a6
SHA512 b141fbbd1dd47f3088fcff2ecfea0148302ec5fc193a9906d05ab419fb2870f7fc4a9a0b6db5a5d1a80d6aacba816a39e3c8231907e5dba86292ca7e6b663113

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 2be564d627610e7330bc753dcd6a68f1
SHA1 b4370450cd174487b621215bac42f6123eeb36e8
SHA256 a98a7ef298d387e9f565edd782a146d12c6f057fc848d76592e06f2b0fc75353
SHA512 42e5e10a42a3c87eb5411e96c1dd541b933ce4abddc2c36bbf0db830b67a0a71e5a1daab977114fdfba68e83342365f096f1bade889f27dcbc338817411bc1d9

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 67a26728be924c187f40b31bef4d09a4
SHA1 3776aa92cbe03ff6bf788a6b236959fe6baec8b5
SHA256 3f1d3263c7f69ed12afdedfd4b53404951d832f3e30ffbf33c94a4a3c4e0b819
SHA512 e185c333045103556fd69640483a826f847a47f3bd00e83e990ae5dd12e36fc0b63b85539500e06814e6008df4400ea341fb3c0c0d6b9e977db8ba539eb18d47

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 976bd8be295b447c30cea332531b072d
SHA1 8235f0c3d1bc42d698bc99d7dda1b14659e71f40
SHA256 3a6faed6c7c866123e85836c8ab85e76389a15f2390793912b3ea2a346bd86c8
SHA512 64bec52042b066e799f5418b4ea6304c642fe8def3d5e0aa0f994412e04484a3ffc9fbe580423a570c6a36dbfdc3d9ffda99798520b49dc8647d4cf46f23e5b0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 33a613f64c5dbb05ec0eb9d2ffad0629
SHA1 78a5e47a66f8e1662164179e942942a35e7a3be8
SHA256 4c80715e94fe86673f2bee89ce67f3306d9fc455ec6b65aec76d04d4bad37924
SHA512 bb5949f52ebeff6eeb917cf5c871895a32012aeeee6c49eb89e5d0a14b41e2961af71de90eafc9dafcc18af8a8f7ca0ae4f9e10eed3da8ebac15fc97bfa6641b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 d18789172ff9188ae710bff3df7b87ed
SHA1 a5c43ab93cdefea2e85cd91aebadc39051746eb8
SHA256 f4822ae485e7524d59e32b9b781c96e39959e1ede56b5877018c16b16970089b
SHA512 e115bfbe7c8a4cd09d9e871290add3ce0032a676127fd1adc328e30594c0b5c87a905b35f653cbc5a881585d1d4ffb9f54c8fa065ff57022748a77ed1fb0e82b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

MD5 92ebfb39a821b15089c1220d8e5556ca
SHA1 ee734a85a363aa22a924ea01439811048502fae8
SHA256 a71eb78359425eb8cc320021a5311bc050b017913e754ffff133707e9c8bee2b
SHA512 31aeaeab6eed5f96633c6214318d3cefab7d4e90054fad2c9ec28493c42108a092d5588dd072c27b3d36a4e506d765d5b3f38adcc61f5fb54b85b8754a7043da

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 ead77c489bf88d2b32555b94fb092932
SHA1 94dd2cc479c3ed47607ed4c23bf3d7ac10c1169a
SHA256 37b461ead57602a00c26980674e1a35656139fb0d8f778aded1389968d5fa0ae
SHA512 e373366b43bf82d70b678c75907e7e3d0e8f883354df3dd2e4c19365da4b0d4c13623c502c9c3dfc04e33091d0ed425d00b029a818d50d4be0d4000941d5b822

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 135d69ccf848bde79a8db9a59dea714b
SHA1 7fea4b53cc0dce3af2e27fe450589d0f51d85df3
SHA256 45a0c3c6665677b798e8d4c54886fa5783e28a8d15b9be24ceede6a6e35d0e26
SHA512 332d45f07b8089a8625f74eed645f5623227c67e846c870130b379f86cf49596f6d2c26c46f480df0151e754e08f8f80b9e56c675ddfe538964f3e746c38099a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 fdfd5112a0f58667d5f170cb59c75fb2
SHA1 e886454eea7aec196777151570a9babf5e463bb3
SHA256 ff4dd15cb4791c7ad6a2fac8d1f6365d7db53d0893cba85aa7edb6431d8ba7cd
SHA512 cc75000c3cc109650ec4835075feb4f7e29f889d174d35a46ec426b93dfeb98bc233e7dd6b584acec974905108f8c3f7e20e55bad1c8fca43669a29cbd866e3d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 fc14726428e5b90919e57b7e0a03b621
SHA1 2ed6a741855420b21609f8d07996bcdf8677826c
SHA256 90afa0ae915475ad8fa1b728d0042caaa0a6b779d17d1e74fe6af1b736638af4
SHA512 79a4c3fafeb4436a07684ea46afd27b29099274e14f0fdb70d6f8354c40222299605d5e8e04b268706324d4037ac7544e2cdb1545c782fbb014509c4d8f0db9c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 3c36256d023bcc4d9707bfc98d4075da
SHA1 d33e2c8b7b715a28d0a61aeedd935f75fb9d5ef6
SHA256 5dd143673afbe4312c51532b4db1bb538381ac0ad65d2bae1cbab47a86bf8a61
SHA512 9fd8c02a9db79c1498f29c32c5f45b995931602df18e415337e9da5be74e6cf8d70657a9eadb2eb2a7ab5e83f49c8a8cf18a61e9924b8e3cdf7594e1b64e0f51

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 7ba70c04ee780fc7c3486e7822080007
SHA1 983a58a37380fc877674fc4e1eb9928a868d737f
SHA256 5a6a00228271818b09f2189b22bee1090464a6346f778994f5a9a22b384d7ccb
SHA512 e94efd455c154f7f30362e181c3cc2a1d6d328f6c9238f5e563821ad9200598631a79046ac67207498a019aa4369a25934785568cf042707b0247dd747e1ec41

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 b1a84e2e2fa37c200d0779879ebb77cd
SHA1 4e453fa8faffd9f64a1061b81b3fef6bbe39cf44
SHA256 363ea874820a0af06b8049fdc78d639b5cb7f20aff94023528c4a57690692e38
SHA512 7a6d1897d5e2484ac73448ddc778df2f4d9a1b952fbb0a09253b771f55606c082334e8dda927593520089b29837dc25ef98cb4d0e1c7bcc5df4af383be68144c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 2099424131059a9ece5f65f70b7f6fb5
SHA1 79cd8c1f623496f6f1c42b979a11d7b03298333a
SHA256 7f2d3a64686109a5737a295e3216f3696813ff461ac3ff0bca1b20072ce53173
SHA512 7b77482f37fbb99d89024c7b5da48c21927724af674770bb979dd1c1346ab57a243fa954298c7837bc75c2f8054a15936b4d833907264c370cb375d3cc30dc54

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 63d909728dcce5cd062e01558dbf0eb1
SHA1 9d9900c83ec43b11d2f2da7735d5a446b116f786
SHA256 a527b98a059f1d4e08930676a2b0908671e1d1fdc782af4281142ef82a82598e
SHA512 b5045410cbda947b1306f8b94e98dd3109e3c5d5cab1cc06e8509076ba97cad3d13b64e10f2f332feeab37ff438f5670ebcdc9cab2fd0d01eb4fe67575337cd1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 8d21f7e89554f8ce95059cd9c1dd2f6d
SHA1 a246acf74b89fff517c2939f979c10606e1396dc
SHA256 fb845c958b1763d14315f90d3832983f4a3818f289e89d8e7b20d8a18e24a069
SHA512 75b4254cf2d0fac42f5efd0daa415200d435833d59446fc4a53c7c136818bf810ac0a271da747bac34ac8a0e1d011d5cc288b6429945bea399336f1f8ec50443

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 54b3e07df782123779ebbe8504940486
SHA1 6af36ef71d9f70c0b127550648be43291177d96e
SHA256 c3e23d48a99135b2dc3978ddf4f1579f0c8d5ebcbe627d60ab610d6f603dd3c8
SHA512 ef5957b96ddca2ec7b3b5c06d48af14c4e3da301a720afd7382ac8396ab6533fc8868f58c90ff1253881adf0bc2bc0364737de381133479524636ecf27bce43f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 e6a882bc9a5d1f008098892cf062daea
SHA1 40a6c71b5ae6eb5c03d54a6e21d9dfb8a5855373
SHA256 b9ce92f79208b486f4784a9ebdb3db569042932bd4a7690ce715316c94ba0dad
SHA512 6a4cac53a3ac8fdd0738f6c6e97c95306987f0ffce9e768db83663190de789d60420f22f22884d5cfda4f45312cf6273da25536f1c7a60e57ff81e107e07da1e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 1b04fba9d47c4df0b06b8f693d3078ba
SHA1 cf3ba3d998ebdf3769ffca8c6e18d41ef67afd3d
SHA256 e35bb6648e623d141d7ee34a789c44394fa70a6d62163483f4ce06a9d3b3982e
SHA512 ddb84f7908a0ef90bceb43363c3de722480e786839ea95bf047b0d5c9c815667fde69ea392e649e0b50c32a9627e0636768b395251b0ea29299567e16a6b2912

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 d4cdb11122f20d56172861f8f1b82d01
SHA1 c883f5fb899b8ed13387e317641fe9a21e342d1d
SHA256 b08c1ec66a71958aa57a6788fc21cc04d97c03b5f00e18a1a5d6986f20aa7406
SHA512 22f6345776cefa9027aea9be5b86dbf7542286da8e4cf976c0a5edf3534d45596dfccc3f3b7f80bc0aedb3249ba7b7222fd8c817245b7a452e33bee6685049fe

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 995537bfe75c4095a64c40aa404ae9af
SHA1 89ae834e98bdbbb8ad93c585287e47b199a64662
SHA256 f3b41bc232adc1f993690911ce91cc19dec5bdf3f7b74998261b41fc43c785f1
SHA512 46c6a1a840758c9acbbd426169e57fb1d88617185177f5c815131c944403fd4000d55365b1607b40a629ef7564124793356079107c131f3486928a884ef6718f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 9c71975c40d9c36fef9b2a20a137a3ab
SHA1 0d79ba8324e27a27896383f2e9534ecc8abced35
SHA256 95e243637ab294aca7cbf3233a9f9112719f211f7a402928e19c7ed64d79743c
SHA512 e7085e422040ddfd5917402c22f791c5a0f833179fe5e9d6df7a2a059447d86b4b6ce281f11ac77625406224dbf840e7f4147aafce44691f71ba8c7563d9b406

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 92f112f44bd4b6243445d21f0a1cd2d5
SHA1 9789f4b11a6ec4ae83b3c72579e47e950ce77e61
SHA256 2fbd4cd31487e4a5665655b141d3ce84d6609c354a77cf687cb684a263f843c6
SHA512 02e23c577022cca7b46dffe2e5fc4437846ed4773834751049f1992c93342bcd0a365d81f3a125964012897eb3a5ec4b541690f01968bf6b61289856a7fa3e84

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 73ba22b7767d3a4647e235583929b7e7
SHA1 1be69dd634e88e1eea758a5a41105819f79eb540
SHA256 92b4587e349109c6536bae3a024bd708847faa3f6302db5fcb9d8023055af205
SHA512 3848ff772cc01d7fcbf018aaa8ef50f919348ddd769b94b1af620e0f016f67ba47c50ecfd7fe3a0b3229eddd42f06b9f5593a965af2573c71aca26b97a0fe263

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 14d5c316d723e8a299feb4c192b2100e
SHA1 060b3aae4005ab1ec902beb09962827106f9d19c
SHA256 7e3cb0e97a070dae0c454e7e0d6afcb51ba6c23d0b4559bf97a8867792684e8f
SHA512 439075b2d63aaee69a5c25eec89d1566bb85b05b699cd10a2d935035e32cd2dcfa4a24673f96a1761f9e48941c230c5bc148546cd3160ded09033f163634cbdb

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 dd2699678cd42984b47ed942734fa571
SHA1 600148556a0956a62d43e31bd3699dd0f5655a35
SHA256 68b96325a3f6859d2e5681eb868b7511eb8ce4c765e0d4cd685a5575a6ac6c75
SHA512 fa0c15f65ac6ee833844338c1d12613505099612112d5d212a868c4f233a495c085c068294fd897b82a308125a5629bcfdf5ea15264a313e78c204d0610d8978

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 1dc4d2679780ad01c7d0c09fcc72c18e
SHA1 9cbdf0e13e5f66b908ecc997c2fd567b30315a89
SHA256 7d5a94522a6dad8989fd5b0c82695a94a908c846bde65bcd8548c38a747b1509
SHA512 3e074e514f0cc9b5be180fbfb8fe3de982bf5d8941cb250f7e1d8363d960e412fe573104ca541af702a6b90a3b913dc3464ef1775dc0feed47e1b2c94cb38009

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 3764d9af84224378e7e2ff8824845954
SHA1 51a55b42124abcf556b110c285fcfa916458e08c
SHA256 0c40f1bce7f68e88a60094009b95cbaf6eef9bcbfc8abc100874e4c566562cee
SHA512 15078c35ff9fbf975bbeb7cf1f2cb587dfa03f70dc8f879b318d116269271d5a8f145019fcbae2ab73b86f3d7ed43d6f6e0acb16fbf0f62287b3da455180382a

C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe

MD5 80786141f50d23226aaacbf927407db5
SHA1 64f090d826b80e073c5eec579571d53572e9fcd6
SHA256 093fa83a38944d08c8a94b917acb20b24007e52b3fdbbffc4d2fc9b64231e8c3
SHA512 27137c659ccf6590006c434f15a04861f6fefd0ce2e8e6903c11a0ca21deea7369796c5c8b8b6c202ca361b39b3d1d45553ed67e7a35d690f9645c881fdc4b98

C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

MD5 075a7d9af7bc628335f815040275783f
SHA1 1d81242adefaed88202762509f8e73ec3fe5f063
SHA256 51bcad043a46db6969bd528f7127d668142450ac93d293df551e34effe29d0a5
SHA512 5be8722126dc7e0eaa0d1885701b52ac63fad8d9bc4a415b961f1a13b4594b1c762fec678f99499adad95344d09cf4ffc6e680e07c7217fb5cbce2c500e3bb23

C:\Users\Admin\AppData\Local\Temp\ioYM.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

MD5 a92ff13923be998419cef2eb89fec3e2
SHA1 49bf954874f6d3586547d02a61d2c3677783d168
SHA256 4daa71083a4cac526fb814f111fae065611c6247cec2559cea294a03981ee7aa
SHA512 f3afe1460c4c4912d4fbd8fea1daed9c32e018c48e8723b34a1e029073b762d12bf5076ed169a075a68eeefadfe5bbaa4e5358a0fda6ddeccc3942faafea8fb2

C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe

MD5 00c374a0f350c8b66081c1cb6f44840d
SHA1 470b721c31bed009e58cb5d30e0ad49d278b6599
SHA256 310f5861a1558fec4331e3556e53cca4a7defd7b22a9ac933ad3eb370a92a980
SHA512 cc8b6da2cff0c2168dc913d3570f47b01902a87712ca8363b86e21d3214c6ca147296e4625f6efc0314a3e9783fd851b1963cd08bd9caa53162fbd0cefa16124

C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe

MD5 e5f33c4158a3657bfe657598fc7f58c6
SHA1 ba01d9f09f4b22c2a05d14c32a8e89eab990740b
SHA256 615cf3b72c1b93fa55b1bfaa5cb92c2966ad9aa4400265bfcb785a3d1ea7a450
SHA512 3e84d8b4d2e04e18a64a177efe220198791843f6e3f3d516fd6bf65b7cc46815e09506a23655a1c03fd04dd732bbe560c6c86763b8a032f12e121a95963c67af

C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe

MD5 21d6e9e57722331d78072310676ecd27
SHA1 0379105939708a35b7e4e8d017d65f009f38b0f1
SHA256 b2e7097828452c02696afa2ec0f1f702f38205c064277bab20d22d2f5dcfd5e2
SHA512 a893473d314474ad76718590978c9073bd4fec3e77fe2bdd9f5a59a53817f9c973236a062472531411d6aa63f5e3e8b08a58b257b924ff0fe8e534d47459605b

C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe

MD5 314f24148bfc415aa5cd6113b4803133
SHA1 b0db1b7cc78d939225e49bb04bd87a3dabf5053a
SHA256 3cca945deaece5ee9afd8f983ec1ec089e16d17ec39983f8e195e211e474606f
SHA512 90ba06a30007c64461be5d5f1ef6a2fcdde831135b0d0055d559505cf5d63a4aa2185b0251d0d1bec58a26bb9a1700994da2ac93d8b365840357c25ab71045e5

memory/2436-1734-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2576-1735-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 21:21

Reported

2024-10-20 21:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (87) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\ProgramData\SccEoUck\JOoYMkIg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jyQgAYUk.exe = "C:\\Users\\Admin\\SykMQwoU\\jyQgAYUk.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JOoYMkIg.exe = "C:\\ProgramData\\SccEoUck\\JOoYMkIg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jyQgAYUk.exe = "C:\\Users\\Admin\\SykMQwoU\\jyQgAYUk.exe" C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JOoYMkIg.exe = "C:\\ProgramData\\SccEoUck\\JOoYMkIg.exe" C:\ProgramData\SccEoUck\JOoYMkIg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\SccEoUck\JOoYMkIg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A
N/A N/A C:\Users\Admin\SykMQwoU\jyQgAYUk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\SykMQwoU\jyQgAYUk.exe
PID 3584 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\SykMQwoU\jyQgAYUk.exe
PID 3584 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Users\Admin\SykMQwoU\jyQgAYUk.exe
PID 3584 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\SccEoUck\JOoYMkIg.exe
PID 3584 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\SccEoUck\JOoYMkIg.exe
PID 3584 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\ProgramData\SccEoUck\JOoYMkIg.exe
PID 3584 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3584 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1280 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1280 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1280 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_3ce5860a71270ac8e0710851fb649735_virlock.exe"

C:\Users\Admin\SykMQwoU\jyQgAYUk.exe

"C:\Users\Admin\SykMQwoU\jyQgAYUk.exe"

C:\ProgramData\SccEoUck\JOoYMkIg.exe

"C:\ProgramData\SccEoUck\JOoYMkIg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 216.58.204.78:80 google.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3584-0-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\SykMQwoU\jyQgAYUk.exe

MD5 d34ce0a5790cd4817811e5a44ccf0ba0
SHA1 93fedc70279ef475aa9f0ca51c586a9c5595c94c
SHA256 0a8e2d52bd5f747c67f0ff7da70081f000531f410b6c6c136a8833ab67bbc38e
SHA512 9d86e1b1352b12dcc9fcf2aab9fa21f5ae33c37edeff7efbed88dd3d4d5bdb4b443bc1753c70fdb4a333a7477ecfd8425cd112674d806b25a06d99b682ee7cb1

memory/4856-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\ProgramData\SccEoUck\JOoYMkIg.exe

MD5 30e6ef1e72ed81d37bef2e2f92785265
SHA1 4800a548df8d97aff3150780a6ce1eadc0ee40f2
SHA256 0fa79bcbd080cea706500f06e8a72de86a9150d969edccd8d91f5193a503a1d9
SHA512 8a0286eb8d78ab3a256192a1482e9e7994124c94d74ab4d75450dd9a17a91468b49d92f70a5d3cb8da977cd2f1a94be5b87114164be11c679ec7facdb60afa08

memory/3724-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3584-17-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

C:\Users\Admin\AppData\Local\Temp\oAUk.exe

MD5 880ff6dad8faa86c43fb11969cdc91cb
SHA1 edb4603bc1a6ddbaafa15763691175af3cfaa48f
SHA256 41cc7b137e664c38e6fe34d6f2dd011d093a35c105eae06d7913775354b75b78
SHA512 a8234826f4872397ff4e68ebf8b2c0080e36bfb16c2a249f43ad9d7227f2ac9afc8beb65a68ec80f515130ae670beb1689dfe6e169cbcb6feab1f99e7c6ef469

C:\Users\Admin\AppData\Local\Temp\MAUG.exe

MD5 9c087af305376ac5024373f727983e94
SHA1 dd63de4ed3dc097ecb1862e296deac675e32d089
SHA256 20dcdad7e57e73ce6a6cdd1a4e997c69cdcc5c128a4a543a079cd06df9b0ccee
SHA512 bdd82015907e194bc2f7e22a499bd6075af4ed4034ae51f3f9684298dff005c5cdb43ae497e3d64cce17ab6e4fed72b70a495b469cf5e76da4030f211314533c

C:\Users\Admin\AppData\Local\Temp\AIYq.exe

MD5 114abcd04efad0167c73ca69bbf08b0f
SHA1 1c42e5272a56cdd8407012005c874ccdb1bc6189
SHA256 3272df7c88615ea6ca078c7e2226697946e954056446eb9346e2768d1e18cffb
SHA512 a3fa6e229c1da384dad774842f26692284db4329cbd3639e77e710f74ff2c61d927dff3ba68b8cd9b85e61731e7ae59d8dd900dc490c3787a41cdc7e9b066ec9

C:\Users\Admin\AppData\Local\Temp\ksYo.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 35bb7b8f8a1fbe2e3511235505703e3e
SHA1 34772f1ae15d5335daf8cfd9a01f81515310a346
SHA256 286f7a09961747098c14d8f8a18a092affc9c04a706f7596a8793fc459886008
SHA512 346ef30a484d7122ad3c85ea58bd48de73b37628be83005ec4a1b865b051e816ead6e8f5095679b513821cb25124b2b134bf51c344187e07b0adc29c4f8c451f

C:\Users\Admin\AppData\Local\Temp\QooO.exe

MD5 ef598bb0fc4d66ff09cf9796a31f200b
SHA1 5696f3fcf705fbaccc8836acfa540f5a8ae2473c
SHA256 c53f2f8fcbd7949ecb411db6ba250f925764a08839216ea3f9b2b41f208b0628
SHA512 7e88a26bbb7e407f526dfe1d17017d21aa83017fc92810192b56236da33592af2cfac14b89cdcd9296abe53066ddbff6da71e9bbcbaf86f1417bdbfd8284232a

C:\Users\Admin\AppData\Local\Temp\IQIo.exe

MD5 142964251c6aa6cf2fdbc224964fc1e2
SHA1 bc12f4e199e5ac4d05e520527ef6d60d4d5b1640
SHA256 add4a944f3b79cfbc16bdb325d2cb8cad71f01b75e88af826693b8119529c6f6
SHA512 ae49e1a9c884018338da386107f14da60b7d0ec6f66cf018d1157be9b4163d4417e339352ec5b893330c2e656411b44675cbc26d60232462a1f14ed0748befc8

C:\Users\Admin\AppData\Local\Temp\AkQw.exe

MD5 f5cf581b0ec5fe0ebed658654eac073c
SHA1 da7d1c3b7f74587910a08ecdb77b292c918ac16f
SHA256 a0347ca3d04098d643ce1166410b934493b9899c4d33a1d31fb75b4661d8972e
SHA512 dac36ab299d1e4ae4ff733b386897d0f55271563fd1f0a53e34454784163d7680df69cf97101cd9f0ccbced49d9a1c68882d8e17b24f85d082cd58fec5cb359b

C:\Users\Admin\AppData\Local\Temp\SIsg.exe

MD5 28f82a8b62858d137bc9a95575c449e9
SHA1 7483a3145a4313fb2e625ef20d58650ec13f288f
SHA256 71dfeb50f9a6ca0d54b8a92057d331245cc1f70ba62e001968859ea7962a6535
SHA512 85fa5b7499090a836ab681ef1e18516ea1b4e25215c0344bc7279531e0f775fc70f473453f156690fd701713977cfc3b5ce227f43fc39e19b28bb732dc114f3b

C:\Users\Admin\AppData\Local\Temp\ucAO.exe

MD5 c69a46865527dc9c1bfc9922fa67ab53
SHA1 d9b17260ca0801b2d22d5ac0ecf5052649e23d41
SHA256 f81b21b1e6a5632b4f0d1b7372a64336e2a613de6c49091b8bf2885a700ddd5d
SHA512 ece2066c916836ef411c8a91840b4309b59efeb4ab873402c83e0475bbf27bb0ea8ac922430bc0bfa7dca27b9b59f28fa775c0ca22e0dea70755e9d58ada6d5d

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 464825af15faa0f107722985345b8557
SHA1 a5735ea1d9c9b2b5260248d2a1560d455041078e
SHA256 6d8d604d598bd24fcdcf83c872ed883572291e3973d08ac23b42ac47c52f427b
SHA512 cbe8e4ce0b6356bab4c2807b9b955071952b4014fa87e184c678ef1fd2465d6d837448c0a37883771fb49e317679eb7a9e02efeadbaba2f0e29841321ee43987

C:\Users\Admin\AppData\Local\Temp\ykwK.exe

MD5 b382ea01deea835604901be3e1ea0230
SHA1 9b1ef0a319d2a0cd3ae6f7a501abdd088805a6e7
SHA256 9815fdc882f56d7877849f1cc7c9646fe1917b3793fe03596047111084258d2a
SHA512 2d217ccfa35209f8e7d3a8aa7ebf5f78893a08256716ea424ba3c33211928ffa852ff2c1a182290a1421c1a0df1f68442dce200c4d146137aaefebe79a7791d0

C:\Users\Admin\AppData\Local\Temp\aoQY.exe

MD5 c6d1f708a4a5b1a7b8aec01f7d4c3216
SHA1 366831c241dcae29522b532f70699cec2925f1e9
SHA256 b801f34d5b3b2063d0d501a29e0d15ba7eb8b154d504681e2f4261380996b63e
SHA512 54318c62efc74e462ef02d94da76dec5232d135f6e246da492657260b7e0ed386ac5a26a630c0d9da70ef2dda003d849b289e39931ae828c80f3cc70b03fac00

C:\Users\Admin\AppData\Local\Temp\sYAI.exe

MD5 091e3da43dbdb027750fb2008143914b
SHA1 a876f4876e6428f3516171983d076b106af8315b
SHA256 ce5b167d6ed4f0fc95e5444c7c8a12c348bdca41d43d05ca87bfb48953cf277f
SHA512 263268a8b23caa9416f7ca43d8bbec46139889c65d3d914709f58a24b7cbb6ebbf16f34ab57415b4d1576c3946ff3debceeb8e427da74de61e4a54cf98a2f78e

C:\Users\Admin\AppData\Local\Temp\qEgi.exe

MD5 8acaac4cd792611e6c6d49adb2522eac
SHA1 209ee1cc7a49b8322c3331d226dffb02f0fd70c5
SHA256 88bd755a8799b56911b32cd9c39912fc35747674a033dd207f39b640ae62f73e
SHA512 773d96d08d2bddc66d35b35842a8dd2fe4559cb9ea815025420996d84254a03e27639d6a266c274cd9995b2178cc57e05b18ada9b327a3b2cd38bcc9052b1e84

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 9f96107ba2352c32927de8973f9912f8
SHA1 26bc7d6bec199e19f2a7a2cd8ed15b98734508a1
SHA256 48f965cb6afac8390cde9629e0a53a1d6f5a756ea757bba3f4bf4f0878632405
SHA512 628990c5bb2ce8e73e61a2743092bf1645b6641c8378992f33a313ccb2e612c48a4f774f23f5343265cf242b73dfd9130899ff5039809bfbaf53163488533fca

C:\Users\Admin\AppData\Local\Temp\gwYi.exe

MD5 706e284cb5174aacc66278e6a61e32ee
SHA1 6f1877b21335fbf90079f684eae5ec2e0531c89c
SHA256 dcfb971bfb80cc945d0c1eee4e05554a8d3b9ba6f85c94fd48f80724fdddf8df
SHA512 b134a9d43bd917441a076114f3540cd22676d2a3eebd38dec6b6dbc26a96fce68363abc2e24b40973bc5ce9502397cb6ff0ad725e994fbfabe146f75b10032e8

C:\Users\Admin\AppData\Local\Temp\GwIk.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 e40bd632de03bc47e46ae5af47c7b2b7
SHA1 c4c517fe49a66885481d84fb88648d2cd31a4736
SHA256 27e40b9aa0a591baec9aec17a914a84ca886f5c73d98a1136a00ca3574ed6a8d
SHA512 3a25d54776d9f99fb124d7e7feaf61c803d7a7a1103338362299fe719832ad78ab96fe6f8d44f4b617df1dd6b5d777005822c699c14d394f1ef91660773dcefd

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 a47e188d3f9b1aa4bd69a6f8d03c8833
SHA1 53a5a099cce0781a12afb7d27406a6d3957dabe0
SHA256 8c10863513c7f15ee78dce167b5cdb532d608ebca7c09fee50968db9ea666479
SHA512 6b9f76e7f5f8c32cddc43643a8334e8e1f9415b87798e111970f0ead4ca3c321ab8f40ee28947448080387e5a7a03a39a24461da6d1f4b7a18abf3853a2255b2

C:\Users\Admin\AppData\Local\Temp\qEAs.exe

MD5 b5c0b103b3e2d8d684f1b5f698dbaeb6
SHA1 a8f57a526457e9c4ccb1ce1811d3c770b347c6ee
SHA256 8413d426f8ef9d282f51bdd6a18ba015399f98dd25ac1d384ee5e7f126ff9e57
SHA512 41a901410e94608f0bb8139b191019ff3e2259cb7bff6a17426f51c6bba47da7aa457e7643638d25377b0528d8ea1e64f911adb70a3b4310ab75d72eb14f8d6b

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 974b88b2858bf66737cb91b67ebcf798
SHA1 227fa2041e6c8c3fd66eb383163d753cea283f56
SHA256 fdb68422d0c3f7827e30d4a2ff0ea05cb673bef491156b23f439a81c14316434
SHA512 950c1ad1657004fe597565b696fcc399312f749362c1a0ceab536ca5c93931217f75be5b58e686dbd0e39e0e19c4f59b76206705ac2d3d5de26b0003c97f217f

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 2aee2ce352e25bad38a71a195f584af9
SHA1 4c70b1720ff8027d42fba9abfedc12406c9afd16
SHA256 cb3b25d463cfffbfcbfcd1173a5ad6b6e1cab9d34f15014ab85af823cbc8ae5e
SHA512 1792f86f9a159e4814cad65b8b64b2089a4cded38d2d50b65e6f22cf24ec4b9feb5c15d3ae0c302603c6fd16e07d5fcca2a5843ac0e90746a2eb2807034a4575

C:\Users\Admin\AppData\Local\Temp\WooY.exe

MD5 ba6476d74da691336bcc4b23d919891e
SHA1 6905b852840489728520039c497a70ffb94091de
SHA256 e392f6dd7b77c67c9ac3665afbafa11828f884736a55fccaa84f0e8c47dccda5
SHA512 f5a44ca0a06b2ccc9c16ce3cded0a140e80eef555e3a9aba1c6a910574ed2d7a29d0b3060b1b33f8bdb2923c8927c8d3e617a7e786384defeb3e7acd0cae8fb1

C:\Users\Admin\AppData\Local\Temp\uoUW.exe

MD5 b39cc7562fbd34b56da7309930caa789
SHA1 ed3b2a811c40b3bab785d80240faa4e2766a826a
SHA256 aced0c4d9fe3ee7ee6e6547c25378899fa5851acd60c8a183d58a957fea73a1b
SHA512 ae293f5150bcf36e0a4b10ef0a18a53bfcbc58c66a2aa32697a6243ae2d5271f0cb0e541aeb940537da893abe430979293b4ecea8df16d4fe1aaf305ce814c82

C:\Users\Admin\AppData\Local\Temp\Awks.exe

MD5 6d01c6a7dbd0d5133d5cc4cfd223d383
SHA1 9609a687468a6a4e498f136a6e49b914f262519d
SHA256 ed1166e1729616644b8e4c9ef4d541b8cc36cd4ea2400a95d65cc2e73b77eed7
SHA512 ce08e39f6e3b1c1fe276fae2442be4c6cb62db40e7f0ac18f1d1e1343020aa2cbc9f3e445a564690bc9acae037a961fc9d70d28eede067d4e2ac8ce5f077e1f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe

MD5 bd59ad0e49d92b0ea0dc0f927cbb8e83
SHA1 e2adc51fd40b2b67244d247d5b02504e804ff001
SHA256 8912bd562592b6d3710b2593bb18b5ebfd7734bf288244ad58cf8ee56cef151b
SHA512 811f1359ed24deaa7a07c8c67a4475843db36731fc60d3005494bdac20f53e1c5b44e426eedaadab5ae9d06e531d1a5bee1a7749ec83876a0af5fc4b4b7696fc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.exe

MD5 c26557f23d93e6208b0867fb22fd2401
SHA1 ec9ac35cf21cff3b764418028d70fd138d3da523
SHA256 b0331b06abe56c777ddc5ca11fa2f557b18031a361f5970aa6876bea301aa990
SHA512 2d85332eb212626693446b158d0faca001a6c8d4fa2ffe8456cc3c4c98b117be3d2a73e9626a4f975c7786f7eace840cbd930381da34516bba3e7a447ed151c0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 d55482ec2f28133af22900358af3974c
SHA1 35ba0b305474babe50aca720133dfa1ee7e6b2e1
SHA256 df6aa4654ae024cdfe8f205a1567116604bc27eeb14c2e09da14cef5cfc10061
SHA512 bcb34ef5da9ffacebd40f41647cedb1ee245e684b92c0ad121c0945445128a5784500bbe289813f4aac32d7d074010b20f6160a4501e915e8f48446d5cf1ee8e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 a0a73d330a7b13dc7676b462076e61f6
SHA1 edffdddf32e38828443db7cd9ca5a64e3c041ab7
SHA256 eb1fbcf932b27d79e306a30c15705a557be11f280245705f3f8648fba22685ab
SHA512 c8f8e1b60e80af00df9acc86c380ca797af00f06da72a976447bbc96734364660f5b320490c816be9e65a8429c520268ba8321c6a6de800f5a83502325d61106

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 639a87796658618eb81606e3813a3405
SHA1 e1ebf6ad6b1b132ddb564cc836b9549a35c6c1f4
SHA256 3862e6f5278c9076f8d4e8210192bcff011ba80b961d5939245496469fba9280
SHA512 e2cedaba26b3c528f91034e262d1c5c27fabf1a87d5b9ce0d5981f44a5068338e3fef2ab67d68939a285cf0054be2a7f683095549133a39bfb645156a3ec3d44

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 740220410ff3003de89eddf912ff8be7
SHA1 340668f8296ea94d68586a5d30245d21693b0d24
SHA256 6805e3ec46089879a109e3ce75f537043c581aa83df6d4c89bc2372308526e93
SHA512 e3db4ccbc5ce8df2efbf5fbb239f84465bff64990d0b07b75aa576a39abc6e70c855d443fda5e67228aa3831c84d5518937f8afe50533543855ded7ab9385647

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 0e5178150cf99f46efc65bcccdc0ba92
SHA1 e533c7863990201d123a3d2a2584c6995a1dfb69
SHA256 0bcc45d168878f24c92b5717b320aebe0ced256174049a246ea75bc10715624e
SHA512 9c3042b73340bb2cb7bfb4a69ea600feb152ac054de2e283a3f586067d8e6e9667fbbe89dca6a8ebdf08aae6b8a98bdbb3beddc6478250c1bda87c3b3c01588f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 8b5f11a0504c342a95c36f0da4bb2bea
SHA1 bd55d37b241c32196c589887b9d02c4ab1608bd0
SHA256 91adbf9698df6b085187f8497c0d1392dbade5f201e05767513de36195ae452a
SHA512 234fb10724f39c4f27f5f978cb5ea7d0763cfaec12c13110f66a1c3a2162798456a04ca06cbcc14cc7ac9278f728285bd607e421dbdc4db0ef7b104ed8d80cb5

C:\Users\Admin\AppData\Local\Temp\assI.exe

MD5 bf9e3c1033466d0618936d3bb8c9d285
SHA1 e617abccb71d4ce84d53ef5744b5b236277c88ff
SHA256 d7d17946ddb2c37e43151cff7bf1f18f031cced492f6c0390cf4e3f802ac56bf
SHA512 472de4a858b2a81d6632887de6a58904fae0abf108d91dd98a71f16d1cd694f5f6c5e616f7dc480d05a57b184ac1af89ef3dcf60f0e0775ba60e119f3c2804a6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 cba5d233cc10514aafb0772e481c2b5a
SHA1 b56690cfd9c0a11b97e5a90781e333aeb3351ff5
SHA256 4df48a1b098afdd34dcba60fcfcad426a85d9dc6fb908c641813ae607c407552
SHA512 d2bd3231c9cf6cb171af5a6766ffa764448cb2a7e6ecd059a09024c2a1569184d66682f7c94816cf3dacd3815ea63e4527657f1384972e3a993093be53415fe6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 e55f56a1f6eafabb1adba689e59c1dd9
SHA1 d8562e4cd7c1c6657c2b9405d88340bb504e8405
SHA256 387fc81ad17122b80139d2fccdae4d83ed5aa616ca888f050ce3bb195598055e
SHA512 c0b0fbe1d4ad32a3d60b2fe146df37b438aebfd0224c7d3f558072e347fc701a2a4398bb554f5679542aa6690ecf0d4239783747d012c5e392fe30972d634d26

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 874cab81555dc1830231b075e46a14ac
SHA1 86ea9ac31b0e7c0f93962b590e5565ce680e65ea
SHA256 9ef76d156a8d5f3881c52521e75253a25584a932222deb5192b5863a89b755e7
SHA512 08964d062c268612cb358f8e19869a77946fac98ed5268e3490fab04fe32cdec68d619536363fb3bdea7022cde121809e888a6a42d2b9af3c28ab456fccf7606

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 db558699ee4425ff1eac0575a61eb87d
SHA1 ab1f284e929c974b41fe3faa1f52b8d255adaa91
SHA256 99b444c16bd47fa6be1dc5d9d50f4035c313251e03e882073e16ff941c126e48
SHA512 c58023db2f8cfc0becb0b12b7ab308c575656fbc0c0bac00824d6ecf3c07d7e14371099a3c87301dc3afcf1db2b88ed113a0463b04dcfbedb14fd7271bfd512a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 d78c27cff43da0281c3989ad5d623651
SHA1 e123e256dafd83926349587579fd4102fa41033f
SHA256 c46398f4082cb9824e956783ac762a2508cc9cdc013faa2f42cde2f32b4f9f95
SHA512 d864c99bb0231bb242c8d167be2829e5ab2a6ed20d54a00542bf78ddc97edf8d0576c82a9cf55577058233ecdd05162a799130ed135b9727f594b7cb21dc6aea

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 4c661f45ec2c30099f057f333a371356
SHA1 de01fa4c6ed4aae4b0758668c7e3dfd0879bcde4
SHA256 3c69b06ef6558b68d44e395cb570c87320032c9345bf22b80243bff738baaf2a
SHA512 50a565601211c3831013e89fa83390ee01c7999bb2c4c9e8c00ed028d361799c2b177b00b2d2ea91ab24940039c5d5adcfc2c35d3a44b601183754e2476bb353

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 4bfb745ec784a3a1c1f9cdd0a992b252
SHA1 79227877ca2e071c092c5e093c757277bb2677e6
SHA256 9f470624e591d47cc207e3427f32ec187e4aaf10f72dc47823e7b34e2775fca7
SHA512 b137d2c2e169706ee2707c22882d8ee9b7b67f630bb09e529cda9e1c74e8fd6bb49aefb1c963246d20346d08f0c5b9aaa499ab7b1d5525fb59532f7c0fd94fdd

C:\Users\Admin\AppData\Local\Temp\UMYa.exe

MD5 ea4e2a39440d99d8ba7ee3c1471a13d5
SHA1 38041910f7a1f51908ac3e20b056e3d3d92debef
SHA256 167c7ea433b425fd73a4612dc72baef7c017e983172252a100f513d29b23a44e
SHA512 206d207fc3c26b602288daa570ffad735c4d59ca2dd1ab470832f4d3f813cef7ad6dc8379f465fc317e9942ad244b314644904fe8a64fd7b403316081d72cae5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 93f73eb6273655f5f5f76e5dad3db09f
SHA1 3729a2ba098aa6e1006c51a37a702f1df1dafe3b
SHA256 05e0d9475287ac112c28a6c12cab919ed39eff16695d14bae55da40c42c8f4dc
SHA512 a92aa8696fe5fd6d25af22a2c299902bd51b3ef1e7d3715f028432f62a801a58d24358bcef143be43d5423660604541b68af9282c9a6580342f62d8e2164c67c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 bf9a449a054656f15388dcf7e71fa0b9
SHA1 7bfe30f114b297a8b5c8b9722b9981f8caecd929
SHA256 d5b5c30e0e951aee8e1ad1d4a6bb2743c92a43bdd6d66ba3cedeaae64fc0ccd8
SHA512 868299c8709e3dc91a8cd71807182a06c213102560bd94d2aeb516ea21f4e06e05d6a5ec77910ace6db9a1b03042c02d22a364701b4d1202d1697271c3f7c8a9

C:\Users\Admin\AppData\Local\Temp\YQAQ.exe

MD5 4ca1e8ab7fdc2fbe3951e84891f08e78
SHA1 a5dc4d409a6a0e90e4a10300fa0798c2aa8361b6
SHA256 f38b963ad0a103e09445de038a22c224bde0568cd076a744a0403eb99cb86be8
SHA512 1a5fc5826c74bba09d7946c0448a011b73330622ccab6c1597c0c4e9170462e0eb0ec9a4de311753b9f16fa687971fbd97668d949c50608f3df4a98f36115d89

C:\Users\Admin\AppData\Local\Temp\WQQU.exe

MD5 413916e1295aaf6005a928e6f1e6144e
SHA1 cfc2cc3ce6f42abcb1fbaf0bf963552d43169611
SHA256 65311936ac3c2db62b85dbb91afad6a281bff03abab7e9e2c6175e9f9e4e9e0e
SHA512 c3d19922917c3d9ce927fe2be0fd2b65bea4729cb56ff087e81c56785fc30cf5542ea5150a70b41617e196929341a30335f55e12bed4d5e6211843877b424e53

C:\Users\Admin\AppData\Local\Temp\sMoE.exe

MD5 3beeb762ed6fa09bb06c5f2a026bfd6c
SHA1 5efb5a37f10fb74485c60fe90ee11a14dee6c1c3
SHA256 51949e0fe50fc3145fd58e798b1e07ec77d3d76f354f51f6bc98999eee9dc395
SHA512 c3e070087c4e156fe321ce21e8b28ef994dfb855cba15b3c3fc0934f2eb814dc2f536843bbf05f2646d727089be2f21e3bb1b027506128f0c09c60442c438d2c

C:\Users\Admin\AppData\Local\Temp\WIEc.exe

MD5 9705c1b670a3c85d28b0101b49fb3c54
SHA1 8d3b0f77b84251c23ac6646bbec5b68c1179f04e
SHA256 65f576f23c79c8da731d1db95520cdbd7da37762b5755af3b74e398a36aa1a89
SHA512 39e1da4e5c65fbbed21e4f202bede27cc64262dec0bce79a108ef7e1caf4be0c0d3fb3a1d328e58dbade21c80d9c96f3472ac3f1bee2f9c502f90a73a8c410da

C:\Users\Admin\AppData\Local\Temp\qEgu.exe

MD5 a23f22467defda896e29173c8a43852e
SHA1 fdb3e4423c978966773832287c70c7dc52e44e3f
SHA256 e5bfe28b8c05284bc6216d1443cc8b96770582005b657228d7813ffaebbd9336
SHA512 fac1c74e917ec3f09fb5d88c25a0df9dbaa845818b1df6b3e29cbb858838a27dc2b8fb9a52be81cf257205897e30e3fbddc2498d48e50263f150f96f9493b249

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

MD5 09362bff28a39fcd5127bb8424c25062
SHA1 b9b5fb8d2dc763039766b7cd7951b100d6c74e31
SHA256 8b36f0a9c0a95465ac0cff9526bab13811cb48c56433ac917120c976d1cd62a7
SHA512 d3e431313f5f0fce31328034302162933dced47fb0b5f8d7b569ee83cbaba6ee7073c9af43b64cc1918cc09db6d26fba07a3c923b615c2413dac019fb89895f5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 8bbf2cd522e26166a662397871a2ae57
SHA1 14af5b0774fc9f24427b780e68e5896b7087a80a
SHA256 e004f153c138a1e8d294003362423e22889adbcf072bc96bfa8bb82ff9072223
SHA512 e19a1f7607b8aba4fe8d7e9f5a74cde237fed442540e703e969421790ce156b9e3194a7e871c2a96716b9f133fd4f65b44b933aa9564bde2e24d285c41bd5964

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 20ed1c696becc2ac9f8e20ab55ac96f6
SHA1 c71d36b9646dcc1c30cb36f0d76173b9c0789d67
SHA256 985be77e0e03e5108dfb33d7025eca3f615672d34effed4d26d6441daa7381eb
SHA512 4e5e680bbf412d37e33e9872cdee3b2c51ffbbcd0161a4843dab2959019fdb542a6e711739c0c37bb853fd68963874e92950ad8c3da80cd97f920baa64a35575

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 f7d177646b8fe52c27e1d81dac42275e
SHA1 b7db2a770b9287f0ce450d7253f442ca9aeb8069
SHA256 6df689326db42213c51c881a52072edce11a1b5eee255f9299879451e1ead373
SHA512 9c0349215b0db1a0875eb16b333b12c010a7d5e13620ed1a5e60498056c49bf4b12f1aa13480ea8010957bb858060386ec011c8f487e05ec9814abc9094122ad

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

MD5 a8947a53610b0e87eff36ee607b79ba0
SHA1 abd72b2f9b862616799989323352194bb482717e
SHA256 6024d0d333d3c41464e46563d29edff072a7ceb36858f9797f446aad5f04f394
SHA512 3e6ef8c5869b917bee89165384da95d34ab356f39fd9baf8e10fe6247f37a491733f24d8b7d9e692730a44a560a3683ca21499f322fb7c52384c6f5e36540b12

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

MD5 7e7b65866c0fab9161f9de5a3c09b689
SHA1 f6c4130697e584ed8d599372ddfcfb07e9097aea
SHA256 c226370fba5023a8ab2df5bc02a37be0dff298cdefa3d6844fbe32a52ae454f6
SHA512 e743b310a87ffef7749e49e6a9b4cbb59acf6baed836f466a9c1fc6405b53ed196fac0a750e494846715d7d4b5cb1ad7b0788edb0a8cd946a881448ac76bad5a

C:\Users\Admin\AppData\Local\Temp\SosM.exe

MD5 5447952e5a92253111cd0ac596a4ebe1
SHA1 049ef56820dc2c2fc65e28421696553dbb451b17
SHA256 65cb588a8d27f554f8b58b3c424bbb0247d7da275c72401285e9eb280e9d3138
SHA512 446f0a64c348f22d369197b4df99b19f04f927956f362a33e65d0e015d77acbd1c78dbfe4e38653bab07e8e6206e80ef189ea2b0e27486e4433e6a395a6c9e2c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

MD5 af734d2675d4576b3f0c400630619fa6
SHA1 b70d1b78c3dcbce38692078f29b219d9ad5486a4
SHA256 59501b75d3ee180fe4b8b4d4fbfdc475516c4d432ceb3708b32716da89d9de01
SHA512 9e18fab06148fd4e5b257d44fe7cb9f77e111d01ec6eb76f4b5413524775a41e4dab1d7ce240d54ffd7993e9894e78fb1573d9bea172f3e5f4832079f1761516

C:\Users\Admin\AppData\Local\Temp\wcou.exe

MD5 8626140add3966a910faf5914d2c1542
SHA1 df0f880d4883e7f3650279b97020b35e7a6f9b43
SHA256 19aae1d136a59da8c68e76a4b8da5e301d8b83e696479fc19aaba67a2e9bcf13
SHA512 92e9c7fef08396207d3a5ce285e763520b30e7553cf006d3102a8349f5a6a3aec715c9626f00f3f7a521697898ed8317c47275a1bd2e98ef14e90ded43a8a317

C:\Users\Admin\AppData\Local\Temp\uUYA.exe

MD5 ad6106abd9df456c5ef6afd92a9bc673
SHA1 074313467c1da44fa072d18adda11bab3e40fbe8
SHA256 de2ccb139375326ab014205f44e83bb61159e40ec6ad9f34387cfb39bf91e706
SHA512 3e5a179daa3a808b99d33facb2c207bf9ae7b8130e27d435de4ab5d55339e632b20feb08a66db3aa8d574864230f7ab093ff0dbc1818ecd5f98af999a0a54683

C:\Users\Admin\AppData\Local\Temp\mAQu.exe

MD5 16e1800433156cf43615ad51cf0ff9f2
SHA1 9f3249e2ad2138045d80025c98882187348834c9
SHA256 2a597a13e33eba57801cc43e4180dd743c795c2ab19ec11d3f38f58e6e55c34b
SHA512 a48b2b91918f28ce1247c20928eae72dc56856f702c6efdf90126ee297f5ea6517e5eeee717fef0831d9dd464ee197eaeaa7bc72f60650bf7cf617d327413fda

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 9b1d9e16904bbe8d684803ef7b0d33d0
SHA1 4fc7cae9052200d42900938fdf2bb31c9ea204e1
SHA256 7455b7d9c1b2c2b721450471fc2a4e36295d1a51cfd0edf5a9fef46886179d40
SHA512 83802d5d624e386f3df95d5c7c035f051dfb89f36aa5772907bed35f7d00947882f211cb40b7d337011aa4e536e06a2a552930996c83b3ae9c0389b8b9edf7d2

C:\Users\Admin\AppData\Local\Temp\SIMm.exe

MD5 b045fede4bcaa8bdd0bdb7a5f46d2751
SHA1 2592e0b54b878815a90449a5b3ae39b51f845375
SHA256 52a9c483e45d1bc40f0c4319d833f58bc40c29ae6d0a3507414d7fbab103644d
SHA512 f660e37fd26486bc873deb766f022a64550296d065ba232533410ebfe87918ce8d43fdd9971bd9ae8b07e88f66ad0fb2b1f9a9b24665342c6cfc932ff4a1330e

C:\Users\Admin\AppData\Local\Temp\ygEK.exe

MD5 5ac97a7880d9da1256059a171b3e5a41
SHA1 b2097f2fd86a58c3c778a610d96a39ac1bc9301c
SHA256 fcac780ed04ce5a0937d5f5f970e44d79b4dd94aa34bcac14d8686a4c2409c4d
SHA512 f37e36be2bdd4e4f7b6b5c665ed975214d3079a604d64fd1bd5dd3436f2d7bf5932e3ab1df118081b8d104865ce8581b2e935758c62ffb66fbd4bf186c1e8ff1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

MD5 a50b2846931c3de5c100533a9cf50d3f
SHA1 0ff57e5ec7e91e1d571f815c0aef25dc12cd01ad
SHA256 ea76eb0f765ab048c2f90c36d9f1ed33553a6c0cd6a63ec44f24480bfe264abd
SHA512 9be12abe991475a9f5bbc531ea97afb2d1e4b9c76302d743631dffff5a90da7da0f91dd8c7f48587b374c5d7dfc149d7e418fae1653609d56969875e918552a9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 abfd04c2d29204ebdd8852459af5589f
SHA1 3a1ae8b07758e47e92254ccd4cd79b268d86b8e5
SHA256 97a885acbecc5ca2b2c83127309f325b7d112525d2ef0183a90ee803a53eef9c
SHA512 72e0e29bead47fa05359e00fafefa6cb2625c7c34f880c2b62b90bfe9210288d642be3d19a6e25518cc87603351e943758e6b83719d3286782f37a36da7704d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 90142341b1e69b38dedaf065ce318feb
SHA1 3fcd606cd22a2591c1d053247b0103ebfacfffcb
SHA256 7d6bddd21a8ec1803b974323b6ca09c6831f58a530266724665c7d9fc113459a
SHA512 68217beb072b81cf5b3237bf91e53a36b93f4791acee9bbd282a99aa9de1b7b2e123cc7822c67f0c9fbdd917de0ed6bbf4774bf3c0c4023c77214a3a265d3875

C:\Users\Admin\AppData\Local\Temp\MQwi.exe

MD5 6fec99711895884c38120e7bf99653db
SHA1 59623623039714a554a91ed9d14b71e1d0d0f6f6
SHA256 7071efb53c99f726494cc1217b66b79b4cb61e3b801f2027f229ebe4f5c05896
SHA512 494caa5609b75d8ff92970b6f4edad20ce33993e9bfe6d474428369a584e02ffb0037c6726815de5c7b7f48dca3d7adc7f9da833f8ce980c6fca5f86b19030d3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

MD5 33782b4a2da9b6080f0f8a1292602a61
SHA1 1dfc0f3fa1a564de0f7e596fdc50e3e923ac9449
SHA256 ce81a17c779eaf4a329024c9841fb1e2d3e05cbf045d07f4b2e2f425b19e5e17
SHA512 9bab9eb4016781d6c983a9b481b2259c1a7916a5ff8353225c61002233963ceec249d70b426f085581e6b634faab7b4fd86d29dd75ce1e0ba4fb36cb94ab4bdf

C:\Users\Admin\AppData\Local\Temp\GsIG.exe

MD5 f29b77ff0534471f834b571877dd3618
SHA1 d81e72815ad883af3238eb9852c7bec69cc952c8
SHA256 8614771887e8cfedfa18d93323d18d0bf2251627afadf918c3435938b0d81f18
SHA512 3a00b912087e015532ca85ffc87c4d857070accd09d338eab7bbf79a7385ccc736209c21280fd923d4371a28c82742361af8de734561bb37a4dafe05fcc2be7e

C:\Users\Admin\AppData\Local\Temp\Iowe.exe

MD5 974f9b06bbd846e4fa629ad53c5794e8
SHA1 239e4fd743632637ede4af84a85961f10d2ef6b1
SHA256 85c820a153ae23e22a48cd228acc3528e061f99ff72536d5ff70c5bdb2c064f4
SHA512 330c9e62b4da377062408c8eafd02df77a8731461c396fe7fa05024c0240867b642c115278e1c93a9c6767af3a4e1e3d68e641f7be55e4f2ec53d98f8fca4464

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 21f20e73d3e53cd625442475f42338a1
SHA1 fdde7e62778603b6a0d8e013e7366acb2720b12d
SHA256 a568248f26ccf6d95dfa8f54f7d91e6183df86a8079833f008d853a413b594ab
SHA512 c405499674638d3506840f93ac7ab4b546895908aedb5d7ca2e35302d7af0068ac87ec7c9b2988316ccd346f1fae8f4beb57aee6595a8239c68efcca7c50b9d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe

MD5 29a0c02a8137cec7332c789a6569bc2d
SHA1 70d07426c17e91b0a371527b301bc80ff67cbd02
SHA256 7bbb409bf712dce6662d0eeae9cc7452d8674d90086010fa15068ad8a635129e
SHA512 d0fa4553b1b628e06068eea1ca486c4a6874694b95d939aad590db0f07d5e60bd7797cc3a9eb9f93835ac4a270c10f5f79f0f243bf3920f7ba80e6499edd89aa

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 496052e28afcc8bbfdfcf7016f75a9f0
SHA1 bcdeb95dc86089eb9cf808976456dc4af39a8794
SHA256 06c7fdb2093b5e0ec323d139d42ba14dc62a3d8efaaba9b65375ec9a87cc713d
SHA512 208b937c2d064bffc8d8d9f4e04722235e8ee9077d98ea4c93e686db612fd69eda610e6b623b606d58cda775c6510b1bcf1623086655ae0f6f923a1b65048664

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 5984eed0bb418753eec01be42af8fbc6
SHA1 2b72c0f24b79c325e1bea8e25fa00f49f25f5851
SHA256 1ae700f3aa00ff96b8f7466cd2ce872336a5aea6bd4c49ffff13cf6a8be931f4
SHA512 b980687b45cf373d6bc97e00d321c489942e0642cfa6a564fe35ed1ab7e7160af22170e3b794bf68b2dbc64f3752e1a0fcb228d73db2fbac95bc155fe5e4659c

C:\Users\Admin\AppData\Local\Temp\KcAS.exe

MD5 e886c53c943f33a7c2c826774833637d
SHA1 fca9b30bcd2462e6abc0a087fd95926fb99e9b47
SHA256 212b9f09851aef2bba7083edb47c8aaabd23b1d6962a3b1366c313fb7a353a12
SHA512 28fe1c07f9a1efbac02f655b60f7bd17e7de81ac6d114a024555c5f3459c7c6bae233d5273c838dd4c5913c0e9d45ab30a4950c98a732fac27664e72b0b0f7ef

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 0f887128a16611c01a452a66363c7986
SHA1 f744b79c87c4f53f089485f17340d1bbe06bf69b
SHA256 ec2383e3b39bc8a975eb8e007e5b742921b9003a0596ca7c2703012435084424
SHA512 fe7dcfa100c672234023c914754b269199aafca04cab79c1d7a5fe4d5c253b41ffed2bd7c897df6352255c527cd59b72a46b3f342d1ae76266cd0e7cca9a8b52

C:\Users\Admin\AppData\Local\Temp\yEcW.exe

MD5 864270039c350daea57001e63b65655a
SHA1 15895c51279cec8e56bd884d990db5d25e763f7b
SHA256 38ef30bfa1bf64fc82312925e031f88b85bf202a5319882bbb57ffcff410c149
SHA512 0795d59a04a63ba294714a418e355085a19f5543bd969091b0ae2fc0089a946e7905af016a5dcfc6d217708ba283c08f0d7a0dd246536bdfc8962a8908a14d10

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 158333e9cc735972ce8202ee1609240f
SHA1 2ad6ee42fb4530fbe7a8e2b81a7fb04146560478
SHA256 201140c882885c71944dfef3790d3fc0495630b9d7e645d6390d0d9c1867edfb
SHA512 ea4e1403cdb7ff0a17364f8618f54c8493d477efe4f87c0944f51e229a7bb106012efbc4e14bd48837f3c3c853af2b10d46d7ff1a82e813abcfca205ed32f33a

C:\Users\Admin\AppData\Local\Temp\qksi.exe

MD5 b949620fc96bdfac0839390ea26399c1
SHA1 d6119253a3aa2c9cb68f81f508b38dc6a57de1d2
SHA256 0e1736691935b997d56ca32a39e3941fcd3b13a49b53ca8acf29d019fb84fa2f
SHA512 9b7e08838079fac3ca9cd8ebfd60f3550ccbe7d8785615860fad34d90d80f5457a1a3a44663f6dc950363a74c3a2eacbab9513ed723b72d77f31e21d211ad2ba

C:\Users\Admin\AppData\Local\Temp\GsAW.exe

MD5 cca91745e8af8a03955afface0779d2d
SHA1 00182e1aab56e6c4880a9482065403ab3bf4d9b1
SHA256 2da07d6053a45d792561043c5c06742f3bccf828abe1490ef6be02d5c7d308f6
SHA512 1a11dfde008892f2453020ebdeb30aa3bcb4918e2b03bafe18daa6621626dd372f316565bf49995cc17a32610d975c60dd9c2956769b024e7e250cbe3f336b84

C:\Users\Admin\AppData\Local\Temp\AAQA.exe

MD5 79520215c5a81b43da03c5f1cc8b5029
SHA1 279b1f099f952a5584b16af3fc80a62fa292a1e0
SHA256 452d5dd8eb0e4be78754bd159cbc55bc2ef5d4ee3ebd2624f06ff5cc5d874b59
SHA512 326e65e91f9e3bd0e1976fa4e03d2e9c062724b08723e013faa2a5413d8934b46457c399f5396c265cb1aeb45d38921c26ba51d3c6f30b46a182e7da6b583bec

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 3d9e89de705d944990415d115367142c
SHA1 d21cf07c74607a8c3712999649ea4d778f130b95
SHA256 be81b7ae31909ee7529bbac9302b4bd3d4924a64636c2f7bcbb62e6549d0311f
SHA512 72acc5a0b081257755dc5bae49427ff23a5646864beef946eebc460d0f37357869b9bec4c9cee77b0e1830db36f5a404b09389e1913cae950193e3342667c504

C:\Users\Admin\AppData\Local\Temp\IEsW.exe

MD5 ad755f17a274b27a3a12445702500a4a
SHA1 6d2fc3a0ffc78a8284164b190c12271c1205b7e7
SHA256 1eea9a1dc3fb4c16cae3ab95108785d7b9437b465f492b6dd03aecedde58c61c
SHA512 251d7f2bc2956b9b9e1dff5dcd330e49aa2b80fb52035dbca54c9718f943b688b96b63407ee0947c24dd6e2cabb15c4da5e4a50bc42e191d539ab3ce47fab936

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 5d18d5c8484a10239de11c614781cd92
SHA1 31bea743b73fa116c07e3aa1b981c03dc9bc69c4
SHA256 2b2b14da7c71d3388f9f5ebacfbe1a6ea1b27bf9f0df50f5a0d4c9fcf2133b0e
SHA512 71f46eb2ad6b3ad269a94fe123b765495dc6cf9d981b766be498f693b6bd0a94266eab98e9f710792abbcc3ae48af9911b66d87df9e3c76924aec0ffa14c5512

C:\Users\Admin\AppData\Local\Temp\wQgW.exe

MD5 587a56d63f752004db33848c9f8f29d4
SHA1 fae06dd5b9043ab6608405bdf041df84f2e70003
SHA256 cb8771ec73f65a576782df1c3878900b31b5bdecfa28f4154e28bacd9fc5fd5b
SHA512 f95428b42f1a312605ec7c750cf519664b2e1ac20b148a747d264befe637ea6f6f6e12d1b3989d852a9f352615ec53b3fac5a0916a486e062d91bb9aad30d18f

C:\Users\Admin\AppData\Roaming\EnableConvert.jpg.exe

MD5 2eda051b9b78b91a62bfd8aad1038345
SHA1 1c1a5a35a7e5b5941681be219639a4e0d28d685d
SHA256 321b893b98ef9f8400a7b731d69608e4e9c2fbc8901fcf21a1026ed296c606c0
SHA512 4541232cd99d3b75a00d2da073920911d801dfb44d804c6144bb390a439e478c8f66dc9b1b62bee2215bb23b24a8e2f52ad098c1f9eff76f75d9e1fc2f968359

C:\Users\Admin\AppData\Roaming\LimitRename.zip.exe

MD5 534f3f0948adcb69b21bd4689b7a36e1
SHA1 cf0e02a87bc241b599f0c9d10932a3f5253862d4
SHA256 af40bb0264b10961e0291773e2d966efc4a298f91ca74dd9f6e7d7a2eaf0d5ec
SHA512 37b0e943aa72c8aefb4e330b7dd4867416c1d4047ab2bf6a17f9f8aae7b19f1c603a62456c886c1106bf7529f71d9f9339032a8c8ce8fec66a44afbb3a2c0fc1

C:\Users\Admin\AppData\Roaming\RevokeSwitch.mp3.exe

MD5 eb6a2e1080e568293966a88c1cb6de39
SHA1 3f170d38a6aa8cfbb8e6a48fccdff305c7fd3277
SHA256 f096bbf91347df52e86f197e2212c3db24fde1f92bb667a30a53290ac749f7ef
SHA512 90ef1c5bb085980b2fe0ff36923ad966cd2fd7e6348933bdcb56b91ca853765cdb8279022615c471b4bd64c5a0693a4475b8f8c2bf4c9bb444c5e7c4d93deab9

C:\Users\Admin\AppData\Local\Temp\wUEi.exe

MD5 26ea5facc8679fee261bf2b0798df5d1
SHA1 512b9515d9cf26c18feb3c2cb731ebc39858b388
SHA256 26384654201c523d3c012568932896318a8ad7294d4396b5c513cbdec700e7f0
SHA512 7a6c0cd200f06599a8ff5d828f85af4baaeb07184f1d50ec48d31b2457be6f453dc8b647aa726dceff83009100c1f7e411a89b4bebee1b062e9b7c2fbaa9920a

C:\Users\Admin\AppData\Roaming\WaitRedo.pdf.exe

MD5 44bdd1b4e07e7ff1a14e4fe2a9834776
SHA1 caee416d765ffe091024392652f0b1d5dae71e49
SHA256 cdd3c40be34faa9260b03643589964fd5955a6b43d4f71a9ba2f0411b8aaee89
SHA512 3c3f004076807e43930f4d3761cdbf835eb1543cca7cd4589ba600ed7aa2107038e6e48d6ad2cbe392682557aed02ea4b3e91107a2d9c3010adf16229f52e02b

C:\Users\Admin\AppData\Local\Temp\sYgY.exe

MD5 355601e96dcf548a59593cfe7d6ca71e
SHA1 af12c92319f935a6ec3e08ca2f3d9fcc0130317d
SHA256 fe4fe61b8caa6a7a86445dff3fba40665c318891f608daaa7fa4a0c5a6994285
SHA512 05b4482a6fcba22ad04fb20364368b161d2f8594a43ed5f59330887256ff11539d5a1e99a025ee25ac00636bfc335cd2a60101cc2225be4d908c6137dbb3f871

C:\Users\Admin\AppData\Local\Temp\WIgQ.exe

MD5 d066979cf43a0e1a2aecf3a16e8ce80b
SHA1 3c4f02c0bf8e693bde0158516cbb51ea1c25fb4f
SHA256 14ef762be08669c5c0e0199250bffc3f9fd8bab13daf1baf45f2e84a8b0ef58e
SHA512 e4af03fb44bb19226d44aebab6862b977d9dc9c185e9730cc7d1eafdb75d1d2839442f79e9f445d6da5b4220f2b78f0d78daa5b878274df31b372a1343ed8306

C:\Users\Admin\AppData\Local\Temp\eQUO.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\qcoO.exe

MD5 945dfa462ac1d855ad41f44a5eb6b841
SHA1 de94353825121bd4ae5460dacf35ba30a685266b
SHA256 4b6087364bed51c95d0e70e657b2ef1caee5215f28dddc4b10e2b85922077977
SHA512 4a97cf0754d0844a4909b98b35e247f350ab4ad3e02b1673001f77a3ebca8813b42631e9fedbdac8f37d497f6a907c1a0cb60cb8ccd203e5a45f2d27e2f3e85c

C:\Users\Admin\AppData\Local\Temp\mgki.exe

MD5 1094be70e46ab45f8a63f94d29429719
SHA1 3441fe3b152d3e285aeb01dde6648ff450768212
SHA256 2c79656451d858ae7223b9faea08124e1526de5026063ab2c3b0f4572b464152
SHA512 2eb29d230377be2fb318337cfec594db9d284b71baf03cf5fe92e756258ed291ae4d64d56288b8f7355310f96666d910a58fdeca0e13554614ab56687ea8dd04

C:\Users\Admin\Documents\ConvertFromOpen.pdf.exe

MD5 9acaa563d07ead4839a75b4498645a44
SHA1 c09c494d608f335fbb29176e46e282d55575a428
SHA256 903e8d4d63c7bc65a3edcc34814f7192032f35d28d5eb96b4c5ddd4011b2fb42
SHA512 a1864ee720ca77710c4ce9b7ed5ddb6ef66f1503e4c070e94fcf3731583ac6ff42b71d1806255c2a7121809a231e484c8b5134efb67ec03c507319b3067b39c8

C:\Users\Admin\AppData\Local\Temp\EMAg.ico

MD5 7c132d99dba688b1140f4fc32383b6f4
SHA1 10e032edd1fdaf75133584bd874ab94f9e3708f4
SHA256 991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191
SHA512 4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

C:\Users\Admin\AppData\Local\Temp\Agkw.exe

MD5 240479582bd87e1aa1f661aaf94a01e5
SHA1 42be6426581e4e11a129f41ead59b474a8ba21ef
SHA256 54fed5d75930f273708def56d8279e2db04e5b84308da8ba5cb9503bff4bd0c4
SHA512 91e20645e9b07cd6fde07a89e40f8e016819dbc48bb2ca056b64e3e912e8a28b782a9c694c4ed426e7020165fa049536fa6a0fdd87f576ffc68b5b684e1d73a1

C:\Users\Admin\AppData\Local\Temp\AUAo.exe

MD5 d6bb09307f8bfc8dba04f625132fc5b9
SHA1 9e8776531222e0b5f7d87fe10bc5b64ce808286f
SHA256 5639c00e53a5114c2991ad33287e402f500d2dd3b08361077b73a6db10fb8844
SHA512 c95531c1b51b10f04e4b2d9a8566b3605b1a0850ebe0a8f38be171fad9ebc3c516c6a0cb651a9e11a8e7d54797c1fc408f2399b2c789f1d6f4dd1afc403c2799

C:\Users\Admin\AppData\Local\Temp\EUoo.exe

MD5 a66ce38102d81babff1af4a4f0d9f2b3
SHA1 b1d90cba0c7e208c0525335f4150af125924d621
SHA256 8528d4186fc2f8277de1ff625e14747c62abac42674e2b7e27783a8ad9f98f1f
SHA512 71ca4cf090599107b6df7b5c1bfa4347a01fcb48a61e0fee75daf3373b87bc599413272223b88e4554481dfb208a5f1d0f6cf38630e3775091ca267bb83fbd27

C:\Users\Admin\AppData\Local\Temp\KYEK.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\qkkO.exe

MD5 ddee7f0f3d40e8a7fbe07bf8730ea366
SHA1 b0d2f02549033c639e1c4d4fdae8766af68df3e9
SHA256 517a813097e55e4cf1ca9e03401ee7b232e1e766008ef453e35ae80f2fb30433
SHA512 a012a9d9e40463956d45c5c59fe3af652ce4d092b26bc9d7d091a1dc12e524a0b7c9b72077df1513c06ad43260be5538b6a5f4bd6f65343fd3963f7478d5317a

C:\Users\Admin\AppData\Local\Temp\cYoW.exe

MD5 81978ffe986eda69d32bdb0056209c50
SHA1 5b625696fe0189fe46e1bff0b48a637abd3acc74
SHA256 17408ed66894a74df5baa66b2c83870c8ba1f2cbd328804f72abcff2b8bdce6e
SHA512 ca948240b03b87e1c89fd5d9e4168a85e8630949cc81d0ecd294913adf0ed78b10309015dfaaebb3e36f0cd07655b8b7fbc207982b346e82c65d509d8a46ce54

C:\Users\Admin\Downloads\OpenAdd.wma.exe

MD5 16ae3a68b40d4e9026ae55bbe6588afb
SHA1 147238f5ed6da9461d73d3919a30dc67670ddb56
SHA256 a05f55a96e46ccb21e888700cad77bf340f31a3e9d00b5ebbc1e1a904850ace8
SHA512 514eca31ca42f0509e9e659ec56740c57b13ae249567135646e17c245de0510fac6a0b19795ef36afe940d1410f66babe5730865ac5523ae54fb2821cd49e46c

C:\Users\Admin\Downloads\UndoGet.png.exe

MD5 71858b2989bec48659ae8ce9f89a8158
SHA1 3e0da20dd327c25824d8cb404931e0153e0ad78c
SHA256 d97e16def2ce6ce7fb43a9b8a02713895a51fdbdbe4b10fd193bac584124b67e
SHA512 85e3bf45cee338433ee415ee55bb3155d1fcc6db35f71195e37126900a3392b75aacdbf8931f0c312954b7acae45a5cfe1615be43e4e489517c98a3f77750a8e

C:\Users\Admin\AppData\Local\Temp\YcMu.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\Music\GrantInitialize.jpg.exe

MD5 948e66821524c1f813f8becc51e3de85
SHA1 c68a5ee8ad26bd369329c98e669fbde51d6cdf34
SHA256 74381bf20a677b2e057748e2ae8016cbe09ff5078e33459571f9781ab9d7ecc6
SHA512 623151c91b23ed22b1a0557029a349cf5da431696a5d30e67f0b0b6a4415851254075868b459c0a98ff83778700a8fee31c094a0d3cda07eb90ece9222183625

C:\Users\Admin\AppData\Local\Temp\gsoY.exe

MD5 0e170f8865708ae545d847ad820cdbd1
SHA1 2c7070e1ea657b4b9cb4424ad4c9726a98e9b751
SHA256 9cd86338645b7c8ee6c5f02fefb9da420db257e206f716a24199529b095ecb93
SHA512 a26f60005cabd0c3d22270f5fb444c7b16eb2b5862ce1074e9c59325ae056667d8f395d7abc9e558119235fbb0c84ea3322a86efba2083d516edca340eec6254

C:\Users\Admin\AppData\Local\Temp\wEUy.exe

MD5 20f20347bb748f6deb7c42f457f1a95f
SHA1 771ffc155727f80d67c5a5d1bca1542b52c7d986
SHA256 6016947fd59e0f2a8446a9225b599c46d4399e6948614ea0679905f1286dd1a4
SHA512 ac6ac80c1020604ce226c16a42489b7226a7ebab04092246d5d81683edf9274f3d432285f5a496065d65899c409f5761164003db9395e310cdf59b5248880e60

C:\Users\Admin\AppData\Local\Temp\CIca.exe

MD5 1641ec6f587a2c4ceb8bc7abb8aac9c2
SHA1 11b1b30e4895eb7042976a0011fb26a71caf9678
SHA256 70fab911e3fbe0442f2b16c2e8aa3b717328aa5d7236c1468ba30e7df02996b9
SHA512 edfbaf91de7a47cd0a7b12df49b18e3be0c4f1578c2102d4c62d3c39435e06020e55992dc206a4b7594deb1638ccc3e8ef58532041fde2d1050662aea92ff09c

C:\Users\Admin\AppData\Local\Temp\YccY.exe

MD5 a90262a17b0ecaba9393d07b7d1296ad
SHA1 1edf67aa49b963b0f550fa8215fe8a83f53a2675
SHA256 859844a7140b7145ea4e864c1dc757124f629468c3bddf20e01f2cb0b4d0bbf3
SHA512 4f8fc92de5af03db38d97a35bc4d612712df4ab0e0878487d8ea07bbcd0f3c8dda54439850f6b1e5923484557a6c805b1cb8f76a1b2270634eaeb2f1d5b82646

C:\Users\Admin\Pictures\WritePop.png.exe

MD5 cc2c69ddc17fbd10a6734b3c7872938f
SHA1 6c5d7f474c3a7518774063e06e87be4c3b4c1f3c
SHA256 3ef0c7363a977b126aa1271b69aa6d10eada0c6e270de9187989715c2e526a1f
SHA512 3b6a2888d88f45400a923c8ff32c59896b2cab2119034bad7a6fae3961975bf7c489fc812f457f12c0121919df988aa709b565ce94097dc77df725206bf7748a

C:\Users\Admin\AppData\Local\Temp\OYkI.exe

MD5 97b8bbcfca85fc7047bd8ecfa5f8de75
SHA1 3e9672023f8d2b8422bc8414160a7a4f1b78026a
SHA256 eb48d21aa55237a88a6141e09217b522828e032b28f3ecc9adca79c6db3b2ff6
SHA512 40aa5b5f83647523be142525bb3702c97601938db56c7ede124a1d1c3cce227831f635f9448d47242928ec9b9ab22b6a90e85afda5224fddcb7691cd1225e60a

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 f0c51b3aa17375dda24da030e24a6bd2
SHA1 7342be36553ad3690fed5359693bf68934ff00ab
SHA256 275aad5927811501779bfbbc09cd7716a7e44010f4b1d696b7fdcbf08b5ce490
SHA512 d894b4f2118a02d0b1ec395e5511da444e1b68df5a1551333651a01f561fc56c1d80a2e0a9bb9c4c87a71fde1cabef54db784ee4a6f926e791b0e62122ddab5e

C:\Users\Admin\AppData\Local\Temp\oAsY.exe

MD5 c61edc776319f6fb30b1faed4f773cca
SHA1 29e9d67c1bc0b2902c42a74afa13c3681919ab52
SHA256 34e0dae6e9c00e3cd7ed6563d80e368a4ed3135059fc62cc9ce55d314674772a
SHA512 95a7ef2a871df07c5c56dc68e75a48f9f9b13954beeaebbc6a35c96652d951d98492cdbdd3d45f4552ea3235b6b9cd42cd81b9758625065c60ad50da94a6ecfa

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 3110941fbddcc1b8ab683ecd0cc37ee5
SHA1 e27f18d78b54a7517d529f7a2665eb60a18784c2
SHA256 b88939cfe60a2314f58cdf57b456cfe49d5c9e412910fb10560c50d86c8c4bfb
SHA512 7e5f99cb8fe093278e286dbdb5dccdfc8680ffe267116063a5a05e13aab546ebfdb560417c07047c5e1d7783d5109546dbf4abd3bb34bf77ee245a017150ee11

C:\Users\Admin\AppData\Local\Temp\SwEU.exe

MD5 19a28c5a5dfcda7da47256e2383be550
SHA1 5ba7fb7dbda692a683efff85bf9d3af0a7ebd5f5
SHA256 e73d70a049e0a9d787061869809848ee78745b8fbed8618ab3d4f0309e6383c7
SHA512 fcf3d16cbfd7d9d3ac2ff9485eb1f3635d69c33d87fcf9fee7378509c0c3a3f68a79a8546cdc905904af42a5d6d400a80e43c2c235cbe55b547dae7cecbea187

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 dfc64c0bef408f9f366989b85bac71a5
SHA1 5fcdc3047caef84b4641e1da9cb8c94da1b20c2d
SHA256 e587c8de671c6d021ce67daefc36f72ed75913903b64c7764d845d9b9cdd41cf
SHA512 5ad42e50550c7be38cde388050cec406ac67e4831fca1837840960a9f3084117f49dd20b05c932b1f9ff16cef2790fa298b7e9beec4462e792ab0885d5ff624b

memory/4856-1641-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3724-1642-0x0000000000400000-0x000000000041D000-memory.dmp